Royal is a highly sophisticated malware operation known for its ransomware attacks on enterprise organizations. The group, which has ties to the infamous Conti cybercrime gang, came into prominence in Q4 2022, dominating the ransomware scene along with other notorious malwares such as LockBit and BlackCat. The Royal operators typically infiltrate their targets' networks by exploiting security vulnerabilities in publicly accessible devices or through callback phishing attacks. They encrypt the victims' systems and demand substantial ransoms, ranging from $250,000 to tens of millions per attack. Their first encryptor, Zeon, was reminiscent of those generated by Conti, but they switched to the Royal encryptor after undergoing a rebranding in mid-September 2022.
The Royal malware operation has been associated with significant breaches across various critical infrastructure sectors including manufacturing, communications, healthcare, public healthcare, and education. In June, BleepingComputer reported that the Royal ransomware gang had been testing a new BlackSuit encryptor, which shares many similarities with the operation's usual encryptor. Despite expectations that the Royal ransomware operation would undergo another rebranding following the emergence of the BlackSuit ransomware operation in May, this did not occur. Royal continues to actively target enterprise organizations using BlackSuit in limited attacks.
The efforts to combat Royal have involved international cooperation. A significant breakthrough occurred when a syndicate linked to Royal was apprehended in a joint operation by the Royal Malaysian Police, the Australian Federal Police, and the FBI. The syndicate had compromised websites of financial and educational institutions, as well as official government sites in Australia, and was also involved in selling stolen credentials. This seizure represented a major step forward in the fight against the harmful activities of the Royal malware operation.
Description last updated: 2024-03-17T00:16:24.079Z