FBI reports that Royal ransomware demanded a payment of $275 million from 350 victims.
The Royal ransomware gang has infiltrated the networks of at least 350 organizations worldwide since September 2022, according to a joint advisory from the FBI and CISA.
The FBI and CISA have jointly issued an advisory, updating on the activities of the Royal ransomware gang. According to the advisory, since September 2022, the gang has targeted over 350 organizations globally, with ransom demands totaling more than $275 million. The gang’s method involves data exfiltration and extortion, followed by encryption and data publication on a leak site if ransoms aren’t paid. Phishing emails are a primary tactic for gaining initial access to victims' networks.
This update follows the initial advisory in March, which included indicators of compromise and a detailed list of tactics, techniques, and procedures (TTPs) for defense against Royal ransomware attacks. The joint advisory was first issued after the U.S. Department of Health and Human Services (HHS) reported in December 2022 that Royal was behind several attacks on U.S. healthcare organizations.
Additionally, the agencies noted the possibility of Royal planning a rebranding or launching a spinoff variant, as seen with the BlackSuit ransomware, which shares coding characteristics with Royal. Despite speculation since May about a Royal rebrand, the gang continues to target enterprises, using BlackSuit in some attacks.
Royal Ransomware is recognized as a private operation comprising highly skilled actors, some formerly associated with the notorious Conti cybercrime gang. Their activity intensified from September 2022, initially using ransomware from other operations before developing their own tools. The gang's first self-developed encryptor, Zeon, was replaced by the Royal encryptor in mid-September 2022, with a recent upgrade for targeting Linux devices and VMware ESXi virtual machines.
The Royal gang typically exploits security vulnerabilities in publicly accessible devices to infiltrate networks. They also use callback phishing attacks, where they trick victims into installing remote access software through social engineering. Their operations involve encrypting target enterprise systems and demanding substantial ransoms, ranging from $250,000 to several million dollars per attack.