US Agencies Warn Royal Ransomware Gang May Rebrand as ‘BlackSuit’

The FBI) and the CISA have issued a joint Cybersecurity Advisory (CSA) to provide information on the Royal ransomware. The Royal ransomware has been targeting U.S. and international organizations since September 2022. It uses its own custom-made file encryption program and has evolved from earlier versions that used "Zeon" as a loader. The ransom demands range from $1 million to $11 million USD in Bitcoin, and the threat actors exfiltrate data before encrypting the systems. Since September 2022, Royal has targeted over 350 known victims worldwide and ransomware demands have exceeded 275 million USD. Royal conducts data exfiltration and extortion prior to encryption and then publishes victim data to a leak site if a ransom is not paid. Phishing emails are among the most successful vectors for initial access by Royal threat actors. There are indications that Royal may be preparing for a re-branding effort and/or a spinoff variant. Blacksuit ransomware shares a number of identified coding characteristics similar to Royal. A previous joint CSA for Royal ransomware was published on March 2, 2023. This joint CSA provides updated IOCs identified through FBI investigations.