Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Ransomware

Royal Ransomware Possibly Rebranding After Targeting 350 Organizations Worldwide

CISA says Royal ransomware has targeted 350 organizations to date, demanding over $275 million in ransoms.

Ransomware reporting requirements

The Royal ransomware gang has targeted at least 350 organizations worldwide, with their ransom demands exceeding $275 million, and the cybercriminals may be preparing to rebrand their operation, the US cybersecurity agency CISA and the FBI say in an updated alert.

Active since at least September 2022, Royal has been used in attacks against entities in critical infrastructure, education, healthcare, and manufacturing sectors, making ransom demands ranging between $1 million and $11 million, in Bitcoin.

In March 2023, CISA and the FBI issued an alert on the Royal ransomware operation, urging organizations to implement security best practices to protect their environments against Royal and other ransomware attacks.

On Monday, the two US agencies updated their advisory to provide additional indicators of compromise (IoCs) associated with Royal attacks, and to update the list of observed tactics, techniques, and procedures (TTPs).

The update also warns of a potential rebranding of the operation, or at least a spin-off, pointing out that “Blacksuit ransomware shares a number of identified coding characteristics similar to Royal.”

Believed to be operated by a private group, rather than a ransomware-as-a-service (RaaS) operation, Royal typically relies on phishing for initial access.

The group was also seen abusing remote desktop protocol (RDP), exploiting vulnerabilities in web-facing assets, and leveraging initial access brokers to get into victims’ networks.

Post-exploitation, the threat actors use various tools for persistence, lateral movement, and data harvesting and exfiltration. Prior to deploying file-encrypting ransomware, they also delete shadow copies to prevent victims from restoring their data.

Advertisement. Scroll to continue reading.

CISA and the FBI also warn that the Royal ransomware gang publishes victim data on its leak site, if a ransom is not paid.

“Royal ransomware attacks have spread across numerous critical infrastructure sectors including, but not limited to, manufacturing, communications, healthcare and public healthcare (HPH), and education. CISA encourages network defenders to review the updated CSA and to apply the included mitigations,” the cybersecurity agency notes.

In December last year, Trend Micro linked Royal to the infamous Conti ransomware group, saying that it is a rebranded version of Zeon ransomware, which had been previously associated with one of the groups distributing Conti.

Also in December, the US Department of Health and Human Services (HHS) warned healthcare organizations of Royal ransomware attacks.

Related: City of Dallas Details Ransomware Attack Impact, Costs

Related: CISA Program Warns Critical Infrastructure Organizations Vulnerable to Ransomware Attacks

Related: Why Ransomware Response Matters More Than Protection

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Coro, a provider of cybersecurity solutions for SMBs, has appointed Joe Sykora as CEO.

SonicWall has hired Rajnish Mishra as Senior Vice President and Chief Development Officer.

Kenna Security co-founder Ed Bellis has joined Empirical Security as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.