Tampa Bay zoo targeted in cyberattack by apparent offshoot of Royal ransomware

One of the U.S.’s most popular zoos has been hit with a cyberattack involving the theft of employee and vendor information, and a likely offshoot of the Royal ransomware gang is taking credit.

ZooTampa confirmed to Recorded Future News that it recently discovered an incident that impacted its network environment.

“Upon detecting the incident, the Zoo took swift action and promptly engaged third-party forensic specialists to assist us with securing the network environment and investigate the extent of the unauthorized activity. ZooTampa also contacted and are working with federal law enforcement,” a spokesperson said.

The organization notified employees and vendors whose information may have been accessed, while it continues to investigate.

“ZooTampa does not store personal or financial information on daily visitors or members,” they said.

The zoo, which is consistently ranked in the country’s top 10, is run by a nonprofit and was designated a center for Florida wildlife conservation and biodiversity by the state government. It is in the process of raising funds for a $125 million renovation announced in December.

The spokesperson did not respond to further questions about whether the attack involved ransomware, but on July 5 the BlackSuit ransomware gang claimed to have attacked the zoo.

Con ... oops ... I mean, *Black Suit* has listed #ZooTampa (there’s a pun to be made here, I’m sure - @uuallan? @AShukuhi?) #ransomware #BlackSuit 1/2 pic.twitter.com/FExzpaJ1tU

— Brett Callow (@BrettCallow) July 5, 2023

The group is relatively new, having first appeared in May, and has posted three victims to its extortion site, according to Recorded Future ransomware expert Allan Liska. The Record is an editorially independent unit of Recorded Future.

According to Liska, the group appears to have ties to the Royal ransomware gang, which is responsible for headline-grabbing attacks on the city of Dallas and more. Both BlackSuit and Royal also have ties to the now defunct Conti ransomware group, which disbanded last June and splintered into several new gangs, according to experts.

While the BlackSuit group is new, the operators are likely experienced due to their work with Conti and other ransomware strains, Liska said.

“There is usually a delay between when attacks happen and when victim data is posted to extortion sites, so I think we will see more victims posted shortly,” he added.

BleepingComputer reported last month that due to the widespread media coverage of the devastating attack on Dallas, Royal ransomware operators were considering disbanding the group and reforming under a new name. They began testing BlackSuit encryptor in May, the outlet reported alongside several other cybersecurity researchers.

Experts from cybersecurity firm Trend Micro said in May that the ransomware has been used against both Windows and Linux users. Trend Micro examined the BlackSuit and Royal ransomware strains, finding a more than 90% similarity profile — something several other cybersecurity companies have corroborated.