Royal Ransomware

Malware Profile Updated 11 days ago
Download STIX
Preview STIX
Royal Ransomware is a type of malware that has been causing significant disruptions in various sectors, particularly in the United States. Originating from the now-defunct Conti ransomware operation, Royal Ransomware was notorious for its multi-threaded encryption and ability to kill processes within infected systems. In May 2023, the City of Dallas fell victim to a Royal ransomware attack, which significantly impacted their IT systems. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has since released updates on the situation to help organizations protect themselves from similar threats. The Royal ransomware operation later evolved into what is known as the BlackSuit ransomware group, an offshoot of the original Royal Ransomware gang. Introduced in May 2023, BlackSuit primarily targets US-based companies in critical sectors such as education and industrial goods, carefully selecting its victims to maximize financial gain. Notable attacks by this group include those on East Central University of Ada, Oklahoma, and Group Health Cooperative of South Central Wisconsin. By the end of 2023, the FBI reported that Royal ransomware had outstanding ransom requests totaling over $275 million from September 2022 to November 2023. This highlights the scale of the threat posed by this malicious software. Furthermore, there are indications that the group may have substantial involvement with Akira or BlackSuit, reinforcing the need for vigilance and robust cybersecurity measures against these evolving threats.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Blacksuit
8
BlackSuit is a malicious software (malware) that was introduced in May 2023, believed to be a rebranding of the Royal ransomware operation, which itself was a branch of the now-defunct Conti ransomware operation. Various sources have reported similarities in code between Royal and BlackSuit, further
Hive
2
Hive is a malicious software, or malware, that infiltrates systems to exploit and damage them. This malware has been associated with Volt Typhoon, who exfiltrated NTDS.dit and SYSTEM registry hive to crack passwords offline. The Hive operation was primarily involved in port scanning, credential thef
Vice Society
2
Vice Society, a threat actor group known for its malicious activities, has been linked to a series of ransomware attacks targeting various sectors, most notably education and healthcare. Throughout 2022 and the first half of 2023, Vice Society, along with Royal Ransomware, were actively executing mu
Akira
1
Akira is a malicious software, or malware, specifically a type of ransomware known for its disruptive and damaging effects. First surfacing in late 2023, it has continued to wreak havoc on various entities, including corporations and industries. This ransomware infects systems through suspicious dow
Black Suit
1
Black Suit is a notable piece of malware that emerged as a rebranding of the Royal ransomware. The connection between the two was established through matching binaries. This malicious software, designed to exploit and damage computer systems, has been linked to several cyberattacks. Notably, Black S
Threeam
1
ThreeAM, a developing ransomware group first identified by GRIT in September 2023, has been steadily increasing its operational tempo. This malicious software is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without the user's k
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Malware
Ransom
Phishing
Windows
Linux
Malvertising
Encryption
Esxi
Encrypt
Extortion
Antivirus
CISA
Ransomware P...
Payload
Loader
Reconnaissance
Spyware
Malware Drop...
Backdoor
Microsoft
Exploit
Bitcoin
Malware Loader
Known Exploi...
Insurance
Health
Healthcare
School
Police
Exploits
t1566.001
t1566.002
Chrome
Discord
Moveit
Openssh
Malwarebytes
Sophos
Google
Talos
Cybereason
Cybercrime
Vulnerability
Apt
Ddos
Data Leak
Locker
RaaS
Rmm
Zero Day
Fraud
Infostealer
Spam
Cloudzy
Scam
At
Fbi
Smishing
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Contiis related to
7
Conti is a type of malware, specifically ransomware, known for its ability to disrupt operations, steal personal information, and hold data hostage for ransom. The malicious software infiltrates systems via suspicious downloads, emails, or websites, often unbeknownst to the user. It has been used in
LockbitUnspecified
5
LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It can enter your system through various channels such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
Batloaderis related to
5
Batloader is a malware downloader posing as installers or updates for legitimate applications such as Microsoft Teams, Zoom, and others. This malicious software can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal
BlackbastaUnspecified
4
BlackBasta is a malicious software (malware) known for its disruptive and damaging effects on computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even ho
QakBotUnspecified
3
Qakbot is a potent malware, a malicious software designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it has the potential to steal personal information, disrupt operations, or e
ClopUnspecified
2
Clop is a notorious malware, short for malicious software, known for its disruptive and damaging effects on computer systems. It primarily infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Clop can steal personal information, disrupt o
IcedIDUnspecified
2
IcedID is a malicious software (malware) designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom
VidarUnspecified
2
Vidar is a Windows-based malware written in C++, derived from the Arkei stealer, which is designed to infiltrate and exploit computer systems. It has been used alongside other malware variants such as Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, DiceLoader, AresLoader, LummaC2,
Netsupport ManagerUnspecified
2
NetSupport Manager is a malicious software (malware) that poses significant threats to computer systems and networks. It is often disguised as legitimate software or tools, such as the 7-zip compression utility or a fake Chrome browser update, to trick users into downloading and installing it. Once
TrickBotUnspecified
2
TrickBot is a notorious form of malware that infiltrates systems to exploit and damage them, often through suspicious downloads, emails, or websites. Once it has breached a system, TrickBot can steal personal information, disrupt operations, and even hold data hostage for ransom. It has been linked
Ghost ClownUnspecified
2
Ghost Clown is a malware entity that has been implicated in the deployment of malicious software, specifically ransomware strains like BlackBasta and Conti. This previously undetected ransomware group, along with another affiliate named Space Kook, were identified by anti-ransomware company Halcyon.
Rhysida RansomwareUnspecified
1
Rhysida ransomware is a type of malicious software that has been causing significant disruptions worldwide. The malware, which infiltrates systems via suspicious downloads, emails, or websites, is designed to exploit and damage computers or devices. Once inside, it can steal personal information, di
NetsupportUnspecified
1
NetSupport is a malicious software (malware) that has been used in various cyberattacks, including the Royal Ransomware attack and assaults by former ITG23 members. It can infiltrate systems through suspicious downloads, emails, or websites and then steal personal information, disrupt operations, or
3amUnspecified
1
3AM is a new and sophisticated ransomware family that has recently emerged in the cyber threat landscape. The malware, known for its malicious intent to exploit and damage computer systems, operates by infiltrating the target infrastructure through suspicious downloads, emails, or websites. Once ins
PredatorUnspecified
1
Predator is a potent malware that, along with NSO Group's Pegasus, remains a leading provider of mercenary spyware. Despite public disclosures in September 2023, Predator's operators have continued their operations with minimal changes, exploiting recently patched zero-day vulnerabilities in Apple a
Predator SpywareUnspecified
1
Predator Spyware is a type of malware, or malicious software, that has recently been identified as a significant threat to digital security. This harmful program infiltrates devices without the user's knowledge, often through suspicious downloads, emails, or websites. Once installed, it can steal pe
Blackbasta RansomwareUnspecified
1
BlackBasta is a ransomware-type malware, designed to infiltrate systems undetected and hold data hostage in exchange for ransom. Originating from Russian-speaking regions, this malicious software has been linked to numerous high-profile cyber attacks. The group behind BlackBasta has demonstrated its
P2pinfectUnspecified
1
P2Pinfect is a malicious software (malware) that has recently been updated to target Redis servers with miners and ransomware, as well as routers and Internet of Things (IoT) devices. This malware infects systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once
SprysocksUnspecified
1
SprySOCKS is a new strain of malware that has recently been added to the arsenal of Earth Lusca, an advanced persistent threat (APT) group known for its sophisticated cyberattacks. Malware, short for malicious software, is designed to exploit and damage computers or devices without the user's knowle
GoziUnspecified
1
Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a c
Cobalt Strike BeaconUnspecified
1
Cobalt Strike Beacon is a type of malware known for its harmful capabilities, including stealing personal information, disrupting operations, and potentially holding data hostage for ransom. The malware has been loaded by HUI Loader through various files such as mpc.tmp, dlp.ini, vmtools.ini, and an
Black BastaUnspecified
1
Black Basta is a notorious malware entity known for its devastating ransomware attacks. First emerging in June 2022, the group has since been associated with a series of high-profile cyber-attacks worldwide. This malware, like others, infiltrates systems through suspicious downloads, emails, or webs
BabukUnspecified
1
Babuk is a type of malware, specifically ransomware, which is designed to infiltrate systems and hold data hostage for ransom. It can be delivered through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, Babuk can disrupt operations and steal perso
RyukUnspecified
1
Ryuk is a sophisticated malware, specifically a ransomware variant, that has been extensively used by cybercriminal group ITG23. The group has been employing crypting techniques for several years to obfuscate their malware, with Ryuk often seen in tandem with other malicious software such as Trickbo
ExsiUnspecified
1
EXSi is a malware that has been causing significant disruptions in the cyber world. This malicious software, designed to exploit and damage computer systems, infiltrates through suspicious downloads, emails, or websites. Once inside, it can steal personal information, disrupt operations, or even hol
IceFireUnspecified
1
IceFire is a malicious software (malware) that has been detected as part of the Linux ransomware family. It was initially known for attacking Windows systems, but recent developments have seen it expand its reach to both Linux and Windows systems. The shift by IceFire to target Linux systems worldwi
NoEscapeUnspecified
1
NoEscape is a malicious software that emerged as a rebrand of 'Avaddon,' known for its successful multi-extortion tactics. In October 2023, the French basketball team ASVEL fell victim to a data breach orchestrated by the NoEscape ransomware gang. This incident was part of a broader trend in the las
AvaddonUnspecified
1
Avaddon is a type of malware, specifically ransomware, designed to exploit and damage computer systems. It was notable for its compatibility with older systems such as Windows XP and Windows 2003, distinguishing it from other ransomware like Darkside and Babuk which targeted more modern systems like
LuadreamUnspecified
1
LuaDream is a type of malware, specifically designed to exploit and damage computer systems or devices. This malicious software infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or
SVCReadyUnspecified
1
SVCReady is a relatively new malware family first observed in malicious spam campaigns at the end of April 2022. This harmful software, designed to exploit and damage computers or devices, was initially unknown but has since been identified through IDS rules published by Proofpoint. The malware infe
CargobayUnspecified
1
CargoBay is a type of malware that has been associated with various ransomware attacks, including Quantum, Zeon, and Royal. It was used to crypt SVCReady, a loader observed in the Quantum ransomware attacks. CargoBay's usage extends beyond this, as it has also been linked to numerous other malicious
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
AlphvUnspecified
3
AlphV, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. This group has been involved in numerous high-profile attacks, including stealing 5TB of data from Morrison Community Hospital and compromising Clarion, a global manufacturer of audio and video equipment for car
ZeonUnspecified
2
Zeon, a known threat actor in the cybersecurity landscape, has been linked to several high-profile ransomware attacks. It was instrumental in crypting SVCReady and CargoBay loaders, observed in Quantum and Royal ransomware attacks respectively. Zeon has also employed third-party ransomware such as B
Space KookUnspecified
2
Space Kook is a threat actor, or malicious entity, identified in the cybersecurity industry for its involvement in ransomware operations. Named after a villain from Scooby Doo, Space Kook was first linked to malicious activities by Halcyon's analysis, which showed connections to an initial access br
MedusaUnspecified
2
Medusa, a threat actor group, has been identified as a rising menace in the cybersecurity landscape, with its ransomware activities escalating significantly. In November 2023, Medusa and other groups like LockBit and ALPHV (BlackCat) exploited a zero-day vulnerability known as Citrix Bleed (CVE-2023
Conti Teamis related to
2
The Conti team, a threat actor group known for its malicious activities in the cyber realm, has seen significant developments and transformations over recent years. In September 2022, a splinter group from Conti Team One resurfaced under the name Royal Ransomware, conducting callback phishing attack
Ursnif/goziUnspecified
1
Ursnif/Gozi is a threat actor known for its malicious activities in the cybersecurity landscape. This entity, which could be a single person, a private company, or part of a government group, executes actions with harmful intent. Specifically, Ursnif/Gozi has been identified as one of the tools empl
DarkSideUnspecified
1
DarkSide is a notable threat actor that emerged in the cybersecurity landscape with its advanced ransomware operations. In 2021, the group gained significant attention for its attack on the United States' largest oil pipeline, Colonial Pipeline, causing a temporary halt to all operations for three d
Hunters InternationalUnspecified
1
Hunters International, a threat actor group in the cybersecurity realm, has recently gained notoriety for its malicious activities. The group is believed to have taken over Hive Ransomware, a notorious malware used for cyberattacks, after Hive's takedown in 2023. Despite disputes from Hunters Intern
RhysidaUnspecified
1
Rhysida, a threat actor known for executing malicious cyber activities, has been responsible for numerous ransomware attacks. The group has primarily targeted businesses and healthcare organizations, with notable instances including a disruptive attack on Ann & Robert H. Lurie Children's Hospital of
BlackbyteUnspecified
1
BlackByte, a threat actor known for its malicious activities, has been on the radar of cybersecurity agencies since its emergence in July 2021. Notorious for targeting critical infrastructure, BlackByte attracted the attention of the Federal Bureau of Investigation (FBI) and the US Secret Service (U
Earth LuscaUnspecified
1
Earth Lusca, a threat actor known for its malicious activities in the cyber world, has recently expanded its arsenal with the addition of a new tool, SprySOCKS Linux malware. This development was reported by Security Affairs in October 2020. Earth Lusca can be an individual, a private company, or pa
Conti Ransomware GangUnspecified
1
The Conti ransomware gang, a notorious threat actor in the cybersecurity landscape, has been responsible for extorting at least $180 million globally. The gang is infamous for the HSE cyberattack in 2021 and has been sanctioned by the National Crime Agency (NCA). In late 2021, experts suggested that
NoberusUnspecified
1
Noberus, also known as ALPHV or BlackCat, is a significant threat actor in the cybersecurity landscape. The group, which primarily operates a ransomware-as-a-service (RaaS) model, was the second most active ransomware group in April 2023, responsible for 14% of total observed victims. Originating fr
BlackmatterUnspecified
1
BlackMatter is a recognized threat actor in the cybersecurity industry, notorious for its malicious activities and the execution of ransomware attacks. The group initially operated as DarkSide, responsible for the high-profile Colonial Pipeline attack in May 2021, which led to significant attention
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2023-5009Unspecified
1
None
CVE-2023-36845Unspecified
1
CVE-2023-36845 is a significant software vulnerability, specifically a PHP external variable modification bug, identified by WatchTowr Labs' security researchers. The flaw was part of a series of vulnerabilities linked to the SRX firewall system, including a missing authentication for critical funct
Source Document References
Information about the Royal Ransomware Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
InfoSecurity-magazine
11 days ago
Indiana County Files Disaster Declaration Following Ransomware Attack
Securityaffairs
11 days ago
October ransomware attack on Dallas County impacted over 200K people
BankInfoSecurity
a month ago
CDK Begins Restoring Systems Amid Ransomware Payment Reports
Checkpoint
a month ago
24th June – Threat Intelligence Report - Check Point Research
DARKReading
2 months ago
CISO Corner: Federal Cyber Deadlines Loom; Private Chatbot Danger
DARKReading
2 months ago
BlackSuit Claims Dozens of Victims With Ransomware
BankInfoSecurity
3 months ago
Suspected Attack Shuts Down US Blood Plasma Donation Centers
Checkpoint
3 months ago
15th April – Threat Intelligence Report - Check Point Research
CERT-EU
a year ago
There were more ransomware attacks last month than any other on record | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware – National Cyber Security Consulting
CERT-EU
5 months ago
Proactive Patching Translates into Less Ransomware Payouts - Cybersecurity Insiders
CERT-EU
5 months ago
Operation Cronos: Who Are the LockBit Admins
Unit42
6 months ago
Ransomware Retrospective 2024: Unit 42 Leak Site Analysis
DARKReading
6 months ago
A Cyber Insurer's Perspective on How to Avoid Ransomware
CERT-EU
6 months ago
Researchers link 3AM ransomware to Conti, Royal cybercrime gangs
CERT-EU
6 months ago
A look back to plan ahead | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
6 months ago
The Top 10 Ransomware Groups of 2023
CERT-EU
6 months ago
From Data Leaks to Physical Threats | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
6 months ago
Follow-On Extortion Campaign Targeting Victims of Akira and Royal Ransomware | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
6 months ago
Hackers Impersonate as Security Researcher Aid Ransom Victims | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
6 months ago
Fake "hack-back" offers are putting ransomware victims at further risk | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting