FBI and CISA Expose Royal Ransomware’s $275 Million Extortion Spree Across 350 Victims

A joint advisory from the FBI and CISA has unmasked the extensive and lucrative exploits of the Royal ransomware syndicate, unveiling a global breach affecting over 350 organizations since September 2022. Their calculated onslaught has amassed ransom demands exceeding a staggering $275 million, a revelation that underscores the magnitude and financial impact of their cyber extortion.

The modus operandi of Royal involves a calculated sequence: exfiltrating data, extorting targets, and resorting to public data leaks if their exorbitant ransom demands are unmet. Notably, the initial entry point often hinges on successful phishing emails, a tactic that has proven highly effective for these threat actors.

This latest advisory builds upon prior revelations, initially shared in March by the FBI and CISA, which provided crucial indicators of compromise and defense measures against Royal’s ransomware incursions. This informative release aimed to equip defenders with insights into the tactics, techniques, and procedures employed by Royal, marking a concerted effort to thwart their malicious activities.

Royal’s nefarious activities drew heightened attention when the Department of Health and Human Services uncovered their involvement in multiple attacks against U.S. healthcare entities. Further alarm bells were sounded with indications suggesting a potential rebranding or variant spinoff, evidenced by the emergence of BlackSuit ransomware displaying striking similarities to Royal’s code.

While speculations swirled about an anticipated rebranding that never materialized in May, subsequent reports in June hinted at the gang’s experiments with a BlackSuit encryptor. However, observations from cybersecurity experts indicated that this transition encountered obstacles, yet Royal persisted in their evolution, eventually adopting the BlackSuit guise and restructuring into a more centralized operation.

This evolution represents a stark departure from their decentralized approach earlier in 2023, a shift from operating as multiple smaller teams to a more unified hierarchical structure reminiscent of their Conti syndicate roots.

The historical backdrop of Royal Ransomware traces back to its roots within the Conti cybercrime syndicate, eventually branching off as Quantum ransomware before adopting the moniker “Royal.” Despite its initial appearance in early 2022, their activities gained momentum significantly post-September of the same year, marked by a transition from using tools affiliated with other operations to developing their proprietary arsenal.

Their encryption tactics have evolved, from initial encryptors like Zeon resembling Conti’s methods to the later deployment of the Royal encryptor and subsequent advancements capable of targeting Linux devices, such as VMware ESXi virtual machines.

Royal’s infiltration strategies encompass exploiting security vulnerabilities in publicly accessible devices and orchestrating callback phishing attacks, a ploy involving social engineering techniques through deceptive emails embedding phone numbers. These tactics aim to trick victims into installing remote access software, granting the attackers unfettered access to the network.

The crux of their operations involves encrypting critical enterprise systems, demanding exorbitant ransoms ranging from hundreds of thousands to tens of millions per attack—a stark reminder of the financial devastation wrought by their malicious activities.

Preventing the onslaught of Royal ransomware necessitates proactive measures. Regular software updates, especially patching vulnerabilities promptly, is crucial. Employing robust email security systems to detect and thwart phishing attempts, along with comprehensive network monitoring for anomalous activities, serves as a proactive defense. Encouraging a cybersecurity culture with continuous training and awareness programs further fortifies resilience against evolving ransomware tactics.