Connect with us

Hi, what are you looking for?



Royal Ransomware Possibly Rebranding After Targeting 350 Organizations Worldwide

CISA says Royal ransomware has targeted 350 organizations to date, demanding over $275 million in ransoms.


The Royal ransomware gang has targeted at least 350 organizations worldwide, with their ransom demands exceeding $275 million, and the cybercriminals may be preparing to rebrand their operation, the US cybersecurity agency CISA and the FBI say in an updated alert.

Active since at least September 2022, Royal has been used in attacks against entities in critical infrastructure, education, healthcare, and manufacturing sectors, making ransom demands ranging between $1 million and $11 million, in Bitcoin.

In March 2023, CISA and the FBI issued an alert on the Royal ransomware operation, urging organizations to implement security best practices to protect their environments against Royal and other ransomware attacks.

On Monday, the two US agencies updated their advisory to provide additional indicators of compromise (IoCs) associated with Royal attacks, and to update the list of observed tactics, techniques, and procedures (TTPs).

The update also warns of a potential rebranding of the operation, or at least a spin-off, pointing out that “Blacksuit ransomware shares a number of identified coding characteristics similar to Royal.”

Believed to be operated by a private group, rather than a ransomware-as-a-service (RaaS) operation, Royal typically relies on phishing for initial access.

The group was also seen abusing remote desktop protocol (RDP), exploiting vulnerabilities in web-facing assets, and leveraging initial access brokers to get into victims’ networks.

Post-exploitation, the threat actors use various tools for persistence, lateral movement, and data harvesting and exfiltration. Prior to deploying file-encrypting ransomware, they also delete shadow copies to prevent victims from restoring their data.

Advertisement. Scroll to continue reading.

CISA and the FBI also warn that the Royal ransomware gang publishes victim data on its leak site, if a ransom is not paid.

“Royal ransomware attacks have spread across numerous critical infrastructure sectors including, but not limited to, manufacturing, communications, healthcare and public healthcare (HPH), and education. CISA encourages network defenders to review the updated CSA and to apply the included mitigations,” the cybersecurity agency notes.

In December last year, Trend Micro linked Royal to the infamous Conti ransomware group, saying that it is a rebranded version of Zeon ransomware, which had been previously associated with one of the groups distributing Conti.

Also in December, the US Department of Health and Human Services (HHS) warned healthcare organizations of Royal ransomware attacks.

Related: City of Dallas Details Ransomware Attack Impact, Costs

Related: CISA Program Warns Critical Infrastructure Organizations Vulnerable to Ransomware Attacks

Related: Why Ransomware Response Matters More Than Protection

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.


US payments giant NCR has confirmed being targeted in a ransomware attack for which the BlackCat/Alphv group has taken credit.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.