"Royal Ransomware Possibly Rebranding After Targeting 350 Organizations Worldwide"
Since its inception, the Royal ransomware gang has targeted at least 350 organizations worldwide, with ransom demands exceeding $275 million. According to the US cybersecurity agency CISA and the FBI, the cybercriminals may be preparing to rebrand their operation. The group has been active since at least September 2022. In March 2023, CISA and the FBI issued an alert on the Royal ransomware operation, urging organizations to implement security best practices to protect their environments against Royal and other ransomware attacks. Recently, the two US agencies updated their advisory to provide additional indicators of compromise (IoCs) associated with Royal attacks and to update the list of observed tactics, techniques, and procedures (TTPs). The update also warns of a potential rebranding of the operation, or at least a spin-off, pointing out that “Blacksuit ransomware shares a number of identified coding characteristics similar to Royal.” Royal typically relies on phishing for initial access. The group was also seen abusing remote desktop protocol (RDP), exploiting vulnerabilities in web-facing assets, and leveraging initial access brokers to get into victims’ networks.