The Royal ransomware group’s rise up the cybercriminal pecking order continues with U.S. federal agencies revealing the gang has demanded more than $275 million from over 350 victims since September 2022.
The new figures are included in a Nov. 13 update to a cybersecurity advisory profiling the gang. The advisory was initially published in March by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA).
In the updated advisory, the agencies said there are indications Royal may be preparing to rebrand or split into two threat groups, and noted its apparent links to another ransomware gang, BlackSuit.
The Royal gang is believed to comprise mainly of former operatives of the Conti ransomware group, which shut down in the middle of last year.
Royal’s attacks this year have included exfiltrating more than 1.1 TB of data from the City of Dallas, compromising information belonging to more than 30,000 individuals.
“Royal conducts data exfiltration and extortion prior to encryption and then publishes victim data to a leak site if a ransom is not paid,” CISA and the FBI said, adding that one of the group's most successful vectors to gain initial access are phishing emails.
According to a report by Coalition, Royal was one of the three most prolific ransomware groups in the first half of 2023, along with BlackCat and LockBit.
Is another Royal ransomware spinoff waiting in the wings?
The updated joint advisory noted that there were indications the Royal group may re-brand or create another spinoff variant, adding that Blacksuit ransomware shares a number of identified coding characteristics similar to Royal.
Researchers, including Trend Micro, have previously speculated on the links between the two gangs. BlackSuit was first observed in May this year.
“The emergence of BlackSuit ransomware (with its similarities to Royal) indicates that it is either a new variant developed by the same authors, a copycat using similar code, or an affiliate of the Royal ransomware gang that has implemented modifications to the original family,” Trend Micro researchers said in a May research report.
“One possibility for BlackSuit’s creation is that, since the threat actors behind Royal (and Conti before it) are one of the most active ransomware groups in operation today, this may have led to increased attention from other cybercriminals, who were then inspired to develop a similar ransomware in BlackSuit," the report continued. "Another option is that BlackSuit emerged from a splinter group within the original Royal ransomware gang.”
Ransomware groups use legitimate software
CISA and the FBI said both groups were observed using legitimate software and open-source tools during ransomware operations, including network tunneling tools such as Chisel and Cloudflared, as well as Secure Shell (SSH) Client, OpenSSH, and MobaXterm to establish SSH connections.
“The publicly available credential stealing tool Mimikatz and password harvesting tools from Nirsoft have also been found on victim systems,” the agencies said.
“Legitimate remote access tools AnyDesk, LogMein, and Atera Agent have also been observed as backdoor access vectors.”
The advisory contained detailed advice on how to avoid ransomware attacks, together with an updated list of indicators of compromise associated with the Royal ransomware gang.