FBI: Royal ransomware asked 350 victims to pay $275 million

The FBI and CISA revealed in a joint advisory that the Royal ransomware gang has breached the networks of at least 350 organizations worldwide since September 2022.

In an update to the original advisory published in March with additional information discovered during FBI investigations, the two agencies also noted that the ransomware operation is linked to more than $275 million in ransom demands.

"Since September 2022, Royal has targeted over 350 known victims worldwide and ransomware demands have exceeded 275 million USD," the advisory reads.

"Royal conducts data exfiltration and extortion prior to encryption and then publishes victim data to a leak site if a ransom is not paid. Phishing emails are among the most successful vectors for initial access by Royal threat actors."

In March, the FBI and CISA first shared indicators of compromise and a list of tactics, techniques, and procedures (TTPs) to help defenders detect and block attempts to deploy Royal ransomware payloads on their networks.

The joint advisory was issued after the Department of Health and Human Services (HHS) security team revealed in December 2022 that the ransomware operation was behind multiple attacks against U.S. healthcare organizations.

Royal to BlackSuit

The advisory update also notes that Royal could plan a rebranding initiative and/or a spinoff variant, with BlackSuit ransomware exhibiting several coding characteristics shared with Royal.

While it was believed that the Royal ransomware operation would rebrand in May, when the BlackSuit ransomware operation surfaced, this never happened then.

BleepingComputer reported in June that the Royal ransomware gang was testing a new BlackSuit encryptor, which shared many similarities with the operation's usual encryptor.

At the time, Yelisey Bohuslavskiy, Partner and Head of Research and Development at RedSense, told BleepingComputer that the gang's experiment with the BlackSuit locker did not appear to go well.

Since then, though, Royal managed to rebrand into BlackSuit and reorganized into a more centralized operation, similar to the model they used when they were part of the Conti syndicate as Team 2 (Conti2).

The researcher added that the current organization of the group is in contrast with how they operated at the beginning of 2023 when "Royal used a decentralized model operating as a conglomerate of small teams rather than one hierarchically built syndicate."

Conti cybercrime gang links

Royal Ransomware is a private operation of highly skilled threat actors known for previously working with the infamous Conti cybercrime gang.

They rebranded into Quantum ransomware after the split from Conti and later adopted the Royal name.

Despite being first spotted in January 2022, their malicious activities have only increased in intensity since September of the same year.

While they initially used ransomware encryptors from other operations like ALPHV/BlackCat, likely to avoid drawing attention, the gang has since shifted to deploying their own tools.

While their first encryptor, Zeon, dropped ransom notes reminiscent of those generated by Conti, they switched to the Royal encryptor after undergoing a rebranding in mid-September 2022. More recently, the malware has been upgraded to encrypt Linux devices in attacks targeting VMware ESXi virtual machines.

Even though they typically infiltrate targets' networks by exploiting security vulnerabilities in publicly accessible devices, Royal operators are also known for callback phishing attacks.

During these attacks, when targets dial the phone numbers embedded in emails cleverly disguised as subscription renewals, the attackers leverage social engineering tactics to trick the victims into installing remote access software, granting them access to the targeted network.

The modus operandi of Royal operators involves encrypting their targets' enterprise systems and demanding substantial ransoms ranging from $250,000 to tens of millions per attack.