CISA, FBI warn that Royal ransomware gang may rebrand as ‘BlackSuit’

The leading cybersecurity agencies in the U.S. released startling new data on the Royal ransomware gang on Monday, confirming previous reports that the gang may be preparing for a rebrand.

In June, BleepingComputer reported that Royal ransomware had added the BlackSuit encryptor to its arsenal, echoing reports from TrendMicro and other cybersecurity researchers that the gang was preparing for a rebrand following increased law enforcement scrutiny following its high-profile attack on the city of Dallas in May.

In an update to a March advisory on Monday, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) confirmed that they too believed a Royal rebrand was in the offing.

“Since September 2022, Royal has targeted over 350 known victims worldwide and ransomware demands have exceeded 275 million USD. Royal conducts data exfiltration and extortion prior to encryption and then publishes victim data to a leak site if a ransom is not paid,” the agencies said.

“Phishing emails are among the most successful vectors for initial access by Royal threat actors. There are indications that Royal may be preparing for a re-branding effort and/or a spinoff variant. Blacksuit ransomware shares a number of identified coding characteristics similar to Royal.”

Several cybersecurity experts believe Royal ransomware is itself a spinoff of the Conti ransomware gang, which shut down its operations last year following a devastating attack on the government of Costa Rica.

Royal has been a prolific operation, with one cyber insurance company saying in September that the group, alongside BlackCat and LockBit 3.0, were the most common ransomware variants seen in the first half of 2023.

While Royal has continued to launch attacks since June, BlackSuit ransomware has been recently used against some organizations.

One of the U.S.’s most popular zoos — ZooTampa — confirmed to Recorded Future News in July that it was dealing with a ransomware attack which was later claimed by hackers calling themselves BlackSuit.

Experts from cybersecurity firm Trend Micro said in May that the ransomware has been used against both Windows and Linux users. Trend Micro examined the BlackSuit and Royal ransomware strains, finding a more than 90% similarity profile — something several other cybersecurity companies have corroborated.

On Monday, the FBI and CISA said both Royal and BlackSuit threat actors have been observed using legitimate software and open source tools during ransomware operations.

The tools include open source network tunneling products like Chisel and Cloudflared, as well as Secure Shell (SSH) Client, OpenSSH, and MobaXterm to establish SSH connections.

“The publicly available credential stealing tool Mimikatz and password harvesting tools from Nirsoft have also been found on victim systems,” they said.

“Legitimate remote access tools AnyDesk, LogMein, and Atera Agent have also been observed as backdoor access vectors.”

The advisory provides updated information on things organizations can look out for if they suspect they have been attacked with either the Royal or BlackSuit encryptor.

Before its attack on the city of Dallas, the Royal ransomware gang made a point of targeting hospitals. An advisory from the U.S. Department of Health and Human Services (HHS) warned hospitals and organizations in the healthcare sector last December to stay on alert for attacks from the Royal ransomware group.

HHS said attacks by the group on healthcare facilities are increasing and that the group typically demands ransoms between $250,000 and $2 million. HHS also referenced a Microsoft report that found multiple actors spreading the Royal ransomware.

That report found that the group used Google Ads in one of their campaigns of attacks – which includes dozens of law firms and businesses across the U.S. as well as one of the most popular motor racing circuits in the United Kingdom.

“Royal is an operation that appears to consist of experienced actors from other groups, as there have been observed elements from previous ransomware operations,” they said. “While most of the known ransomware operators have performed Ransomware-as-a-Service, Royal appears to be a private group without any affiliates while maintaining financial motivation as their goal.”