CISA and FBI warn Royal ransomware gang could be renamed ‘BlackSuit’


Top U.S. cybersecurity agencies released surprising new data on the Royal ransomware gang on Monday, confirming previous reports that the gang may be preparing for a name change.

In June, BleepingComputer reported that Royal ransomware had added the BlackSuit encryptor to its arsenal, echoing reports from TrendMicro And other cybersecurity researchers that the gang was preparing to change its name following increased surveillance by law enforcement following its high-profile attack on the city of Dallas in May.

In an update of a March Notice On Monday, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) confirmed that they, too, believe a Royal name change is in the offing.

“Since September 2022, Royal has targeted more than 350 known victims worldwide and ransomware demands have exceeded $275 million. Royal conducts data exfiltration and extortion before encryption, then publishes victims’ data on a leak site if a ransom is not paid,” the agencies said. said.

“Phishing emails are among the most effective vectors for initial access by royal threat actors. There are indications that Royal may be preparing for a rebranding effort and/or a spinoff variant. Blacksuit ransomware shares a number of identified coding characteristics similar to Royal.

Several cybersecurity experts believe that Royal ransomware is itself a fallout of Conti ransomware gangwhich close its operations last year following a disaster attack on the government of Costa Rica.

Royal has been a prolific operation, with a cyber insurance company stating in September that the group, alongside BlackCat and LockBit 3.0, were the most common ransomware variants seen in the first half of 2023.

While Royal has continued to launch attacks since June, BlackSuit ransomware has recently been used against some organizations.

One of the most popular zoos in the United States — ZooTampa — confirmed to Recorded Future News in July, it was a ransomware attack that was later claimed by hackers calling themselves BlackSuit.

Experts from cybersecurity company Trend Micro said in May, the ransomware was used against Windows and Linux users. Trend Micro examined the BlackSuit and Royal ransomware strains, finding a similarity profile of over 90%, which several other cybersecurity companies having corroborated.

On Monday, the FBI and CISA said threat actors Royal and BlackSuit were observed using legitimate software and open source tools in ransomware operations.

Tools include open source network tunneling products such as Chisel and Cloudflared, as well as Secure Shell (SSH) Client, OpenSSH, and MobaXterm for establishing SSH connections.

“The publicly available credential theft tool Mimikatz and password harvesting tools from Nirsoft were also found on victims’ systems,” they said.

“Legitimate remote access tools AnyDesk, LogMein and Atera Agent have also been observed as backdoor access vectors. »

The advisory provides up-to-date information on what organizations can look out for if they suspect they have been attacked by the Royal or BlackSuit encryptor.

Before his attack in the city of Dallas, the Royal ransomware gang has made a point of targeting hospitals. An advisory from the U.S. Department of Health and Human Services (HHS) last December warned hospitals and healthcare organizations to remain on alert for attacks from the Royal ransomware group.

HHS said the group’s attacks on healthcare facilities are increasing and the group typically demands ransoms of between $250,000 and $2 million. HHS also referenced a Microsoft report that multiple actors were spreading Royal ransomware.

This report reveals that the group used Google Ads in one of its attack campaigns, which includes dozens of law firms and companies across the United States, as well as one of the most popular. car racing circuits UK.

“Royal is an operation that appears to be staffed by experienced actors from other groups, as elements have been observed in previous ransomware operations,” they said. “While most known ransomware operators have used Ransomware-as-a-Service, Royal appears to be a private group without any subsidiaries while keeping financial motivation as its goal.”

Get more information with the

Future saved

Intelligence cloud.

Learn more.

No previous articles

No new articles

Jonathan Greig

Jonathan Greig is a breaking news reporter at Recorded Future News. Jonathan has worked as a journalist around the world since 2014. Before returning to New York, he worked for media outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

Leave a comment