Royal Ransomware

Malware updated 2 months ago (2024-08-27T19:17:44.860Z)

Download STIX

Preview STIX

The Royal Ransomware, a harmful malware program designed to exploit and damage computer systems, operated from September 2022 through June 2023. It employed multi-threaded encryption to disrupt operations and hold data hostage for ransom. The ransomware was primarily disseminated through suspicious downloads, emails, or websites, and once inside a system, it could steal personal information, disrupt operations, or demand ransom in exchange for the encrypted data. A notable instance of its impact was in May 2023 when the IT systems at the City of Dallas fell victim to a Royal ransomware attack. In July 2023, the Royal ransomware evolved into the BlackSuit ransomware, exhibiting improved capabilities and sharing numerous coding similarities with its predecessor. BlackSuit is believed to be a rebranding of the Russia-based Royal ransomware operator and is associated with the now-defunct Conti ransomware operation. This new version primarily targets US-based companies in critical sectors such as education and industrial goods, carefully choosing its targets to maximize financial gain. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have been closely monitoring the activities of these ransomware groups. They released an update to the joint Cybersecurity Advisory #StopRansomware: Royal Ransomware, #StopRansomware: BlackSuit (Royal) Ransomware in August 2024. This advisory includes recent and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) related to BlackSuit operation, which rebrands legacy Royal ransomware. These updates are intended to equip network defenders with the necessary knowledge to combat these threats effectively.

Description last updated: 2024-08-27T19:16:06.800Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Blacksuit is a possible alias for Royal Ransomware. BlackSuit is a malicious software (malware) that has been causing significant harm in the digital world. It infiltrates systems through dubious downloads, emails, or websites, and once inside, it can steal personal data, disrupt operations, or hold data hostage for ransom. BlackSuit malware, which i	10
Blacksuit Ransomware is a possible alias for Royal Ransomware. The BlackSuit ransomware is a malicious software designed to exploit and damage computer systems, often holding data hostage for ransom. Introduced in May 2023, it is a continuation or new version of the Royal ransomware operation, with the rebranding officially noted by the FBI and CISA in an advis	2
Hive is a possible alias for Royal Ransomware. Hive is a malicious software (malware) known for its ransomware capabilities, which has been highly active in numerous countries, including the US. This malware infects systems often through suspicious downloads, emails, or websites, disrupting operations and stealing personal information. Notably,	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Ransom

Malware

Phishing

Windows

Linux

Malvertising

Encryption

Esxi

Encrypt

Extortion

CISA

Antivirus

Malware Drop...

Reconnaissance

Exploit

Spyware

Backdoor

Loader

Bitcoin

Malware Loader

Clop

Ransomware P...

Microsoft

Payload

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Conti Malware is associated with Royal Ransomware. Conti is a notorious type of malware, specifically ransomware, that infiltrates computer systems to steal data and disrupt operations. The malicious software often spreads through suspicious downloads, emails, or websites, and once inside, it can hold data hostage for ransom. The Conti ransomware op	is related to	7
The Batloader Malware is associated with Royal Ransomware. Batloader is a malware downloader posing as installers or updates for legitimate applications such as Microsoft Teams, Zoom, and others. This malicious software can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal	is related to	5
The Lockbit Malware is associated with Royal Ransomware. LockBit is a notorious malware that operates on a ransomware-as-a-service model, which has been responsible for significant cyber attacks across the globe. One of its most high-profile targets was Boeing, from whom the LockBit gang claimed to have stolen data. This incident not only disrupted operat	Unspecified	5
The Blackbasta Malware is associated with Royal Ransomware. BlackBasta is a notorious malware, particularly known for its ransomware attacks. The group behind it has been linked with other harmful software such as IcedID, NetSupport, Gozi, PikaBot, Pushdo, Quantum, Royal, and Nokoyawa. Artifacts and indicators of compromise (IoCs) suggest a possible relation	Unspecified	4
The QakBot Malware is associated with Royal Ransomware. Qakbot is a potent piece of malware, or malicious software, that infiltrates computer systems through suspicious downloads, emails, or websites. Once installed, it can steal personal information, disrupt operations, or even hold data hostage for ransom. This malware, built by various groups includin	Unspecified	3
The Netsupport Manager Malware is associated with Royal Ransomware. NetSupport Manager is a malicious software (malware) that poses significant threats to computer systems and networks. It is often disguised as legitimate software or tools, such as the 7-zip compression utility or a fake Chrome browser update, to trick users into downloading and installing it. Once	Unspecified	2
The IcedID Malware is associated with Royal Ransomware. IcedID is a type of malware, malicious software designed to exploit and damage computer systems. It has been identified in association with various other malwares such as Qakbot, BazarLoader, CobaltStrike, Conti, Gozi, Trickbot, Quantum, Emotet, and Pikabot. The IcedID IntBot Loader (int-bot.dll) is	Unspecified	2
The Vidar Malware is associated with Royal Ransomware. Vidar is a malicious software (malware) that operates as an infostealer, primarily targeting Windows-based systems. It's written in C++ and is based on the Arkei stealer. Vidar is part of a broader landscape of malware threats such as Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo,	Unspecified	2
The Ghost Clown Malware is associated with Royal Ransomware. Ghost Clown is a malware entity that has been implicated in the deployment of malicious software, specifically ransomware strains like BlackBasta and Conti. This previously undetected ransomware group, along with another affiliate named Space Kook, were identified by anti-ransomware company Halcyon.	Unspecified	2
The TrickBot Malware is associated with Royal Ransomware. TrickBot is a notorious malware that has been used extensively by cybercriminals to exploit and damage computer systems. It operates as a crimeware-as-a-service platform, infecting systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can stea	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Alphv Threat Actor is associated with Royal Ransomware. AlphV, also known as BlackCat, is a notorious threat actor that has been active since November 2021. This group pioneered the public leaks business model and has been associated with various ransomware families, including Akira, LockBit, Play, and Basta. AlphV gained significant attention for its la	Unspecified	3
The Conti Team Threat Actor is associated with Royal Ransomware. The Conti team, a threat actor group known for its malicious activities in the cyber realm, has seen significant developments and transformations over recent years. In September 2022, a splinter group from Conti Team One resurfaced under the name Royal Ransomware, conducting callback phishing attack	is related to	2
The Medusa Threat Actor is associated with Royal Ransomware. Medusa, a prominent threat actor in the cybersecurity landscape, has been increasingly active with its ransomware attacks. The group made headlines in November 2023 when it leveraged a zero-day exploit for the Citrix Bleed vulnerability (CVE-2023-4966), leading to numerous compromises alongside othe	Unspecified	2
The Space Kook Threat Actor is associated with Royal Ransomware. Space Kook is a threat actor, or malicious entity, identified in the cybersecurity industry for its involvement in ransomware operations. Named after a villain from Scooby Doo, Space Kook was first linked to malicious activities by Halcyon's analysis, which showed connections to an initial access br	Unspecified	2
The Zeon Threat Actor is associated with Royal Ransomware. Zeon, a known threat actor in the cybersecurity landscape, has been linked to several high-profile ransomware attacks. It was instrumental in crypting SVCReady and CargoBay loaders, observed in Quantum and Royal ransomware attacks respectively. Zeon has also employed third-party ransomware such as B	Unspecified	2

Source Document References

Information about the Royal Ransomware Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
BankInfoSecurity	2 months ago	Ransomware Hackers Steal Medical Insurance Data of 1M People
Securityaffairs	2 months ago	Security Affairs newsletter Round 484 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	2 months ago	FBI and CISA update a joint advisory on the BlackSuit Ransomware group
CISA	2 months ago	Royal Ransomware Actors Rebrand as “BlackSuit,” FBI and CISA Release Update to Advisory \| CISA
InfoSecurity-magazine	3 months ago	Indiana County Files Disaster Declaration Following Ransomware Attack
Securityaffairs	3 months ago	October ransomware attack on Dallas County impacted over 200K people
BankInfoSecurity	4 months ago	CDK Begins Restoring Systems Amid Ransomware Payment Reports
Checkpoint	4 months ago	24th June – Threat Intelligence Report - Check Point Research
DARKReading	5 months ago	CISO Corner: Federal Cyber Deadlines Loom; Private Chatbot Danger
DARKReading	5 months ago	BlackSuit Claims Dozens of Victims With Ransomware
BankInfoSecurity	6 months ago	Suspected Attack Shuts Down US Blood Plasma Donation Centers
Checkpoint	6 months ago	15th April – Threat Intelligence Report - Check Point Research
CERT-EU	a year ago	There were more ransomware attacks last month than any other on record \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware – National Cyber Security Consulting
CERT-EU	7 months ago	Proactive Patching Translates into Less Ransomware Payouts - Cybersecurity Insiders
CERT-EU	8 months ago	Operation Cronos: Who Are the LockBit Admins
Unit42	8 months ago	Ransomware Retrospective 2024: Unit 42 Leak Site Analysis
DARKReading	9 months ago	A Cyber Insurer's Perspective on How to Avoid Ransomware
CERT-EU	9 months ago	Researchers link 3AM ransomware to Conti, Royal cybercrime gangs
CERT-EU	9 months ago	A look back to plan ahead \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	9 months ago	The Top 10 Ransomware Groups of 2023