A joint Cybersecurity Advisory> has been issued by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) that includes updated information on the tactics, techniques, and procedures (TTPs) and Indicators of Compromise (IoCs) associated with the Royal ransomware group.
Royal ransomware has been active since at least September 2022, and over the past 14 months is known to have conducted at least 350 ransomware attacks on organizations around the world, with a large number of those attacks conducted on U.S. organizations. Since September 2022, the group has issued ransom demands in excess of $275 million, with individual demands typically in the range of $1 million to $11 million.
Royal ransomware is a private ransomware operation rather than a ransomware-as-a-service (RaaS) group that has attacked multiple sectors, including manufacturing, communications, healthcare and public healthcare, and education. The group exfiltrates data before encrypting files and uses the stolen data as leverage. If the victim refuses to pay the ransom, the group publishes the data on its leak site. The victim is not told in the ransom note about how much they need to pay to prevent the release of their data and obtain the keys to decrypt files. They must make contact with the group by following the instructions detailed in the ransom note.
In the cybersecurity advisory, the FBI and CISA explain that the most effective initial access vector used by the group is phishing emails, although the group also exploits vulnerabilities in public-facing devices. Callback phishing attacks are commonly conducted, where the victim is sent an email about a pending charge to their account and is required to call the number provided to prevent the charge from being applied. Part of that process involves downloading software that provides the group with access to their device.
The FBI and CISA, in conjunction with the U.S. Department of Health and Human Services, issued a cybersecurity advisory about Royal ransomware on March 2, 2023, which details the known TTPs and IoCs associated with the group. The updated advisory includes updated TTPs and IoCs and warns that the Royal ransomware group may be preparing to re-brand. A new ransomware variant, dubbed Blacksuit, has been identified that has several similar coding characteristics to Royal ransomware.
Blacksuit ransomware has only been used in very limited attacks to date and was first detected in May 2023. The attacks are thought to have been conducted to test a new encryption method. Rebrands are common with ransomware groups, especially after a large attack that has attracted considerable law enforcement attention. For instance, after the attack on Colonial Pipeline, the DarkSide ransomware group shut down and later rebranded as BlackMatter. Royal is thought to have first used Quantum ransomware before rebranding into Royal, and another rebrand is now due.
While the expected May 2023 rebrand of Royal didn’t occur, the FBI has gathered evidence that confirms that Royal and Blacksuit are linked and some security experts have suggested that the rebrand has now occurred. The group is also thought to have changed its structure into a more centralized operation, similar to that used by the now defunct Conti ransomware operation, from which the Royal operatives are thought to have split.