Tampa Zoo
Image: TampAGS via Wikimedia Commons

Tampa Bay zoo targeted in cyberattack by apparent offshoot of Royal ransomware

One of the U.S.’s most popular zoos has been hit with a cyberattack involving the theft of employee and vendor information, and a likely offshoot of the Royal ransomware gang is taking credit.

ZooTampa confirmed to Recorded Future News that it recently discovered an incident that impacted its network environment.

“Upon detecting the incident, the Zoo took swift action and promptly engaged third-party forensic specialists to assist us with securing the network environment and investigate the extent of the unauthorized activity. ZooTampa also contacted and are working with federal law enforcement,” a spokesperson said.

The organization notified employees and vendors whose information may have been accessed, while it continues to investigate.

“ZooTampa does not store personal or financial information on daily visitors or members,” they said.

The zoo, which is consistently ranked in the country’s top 10, is run by a nonprofit and was designated a center for Florida wildlife conservation and biodiversity by the state government. It is in the process of raising funds for a $125 million renovation announced in December.

The spokesperson did not respond to further questions about whether the attack involved ransomware, but on July 5 the BlackSuit ransomware gang claimed to have attacked the zoo.

The group is relatively new, having first appeared in May, and has posted three victims to its extortion site, according to Recorded Future ransomware expert Allan Liska. The Record is an editorially independent unit of Recorded Future.

According to Liska, the group appears to have ties to the Royal ransomware gang, which is responsible for headline-grabbing attacks on the city of Dallas and more. Both BlackSuit and Royal also have ties to the now defunct Conti ransomware group, which disbanded last June and splintered into several new gangs, according to experts.

While the BlackSuit group is new, the operators are likely experienced due to their work with Conti and other ransomware strains, Liska said.

“There is usually a delay between when attacks happen and when victim data is posted to extortion sites, so I think we will see more victims posted shortly,” he added.

BleepingComputer reported last month that due to the widespread media coverage of the devastating attack on Dallas, Royal ransomware operators were considering disbanding the group and reforming under a new name. They began testing BlackSuit encryptor in May, the outlet reported alongside several other cybersecurity researchers.

Experts from cybersecurity firm Trend Micro said in May that the ransomware has been used against both Windows and Linux users. Trend Micro examined the BlackSuit and Royal ransomware strains, finding a more than 90% similarity profile — something several other cybersecurity companies have corroborated.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.