Analysis Summary

CISA and the FBI have recently published a join advisory in which they revealed that the Royal ransomware gang has impacted the networks of at least 350 organizations all over the world since September 2022, and this operation is linked to over $275 million in ransom demands.

“Since September 2022, Royal has targeted over 350 known victims worldwide and ransomware demands have exceeded 275 million USD”, the advisory mentioned.

Royal ransomware has been a persistent threat for a long time and is capable of data exfiltration and extortion before carrying out encryption of the files on the victim device. The gang is known to publish the sensitive data online if a ransom is not paid on time. Royal threat actors use phishing emails as their most successful vector for initial access.

The FBI and CISA first shared indicators of compromise along with a list of tactics, techniques, and procedures (TTPs) back in March to help security experts in detecting and preventing infections from Royal ransomware on organization networks.

The joint advisory was first issued after it was revealed by the Department of Health and Human Services (HHS) in December 2022 that the ransomware gang was responsible for various attacks against the U.S. healthcare organizations.

It is also noted that Royal might be planning to rebrand an initiative or a spinoff variant as another ransomware named BlackSuit shows many shared characteristics with Royal within its code. Royal ransomware has also been testing a new BlackSuit encryptor, which looks pretty similar to the operation’s usual encryptor.

Researchers have believed since May that Royal ransomware would rebrand when the BlackSuit ransomware resurfaced, it hasn’t happened yet as Royal still actively targets enterprise organizations using BlackSuit in some attacks. It makes more sense if Royal is planning to use BlackSuit to launch attacks on certain types of victims.

Royal ransomware is a private operation consisting of highly skilled hackers who are infamous for previously working with the Conto cybercrime gang. They were first discovered in January 2022 and their activities have seen a rapid increase since September 2022.

They’re known for usually infiltrating targets’ networks by abusing known vulnerabilities in internet-facing devices. The ransomware operators also make use of callback phishing attacks, in which the target contacts the phone numbers in suspicious emails that are disguised to look innocent. Then the attackers use social engineering attacks to trick the victims into installing malicious software.

Royal operators focus on encrypting their targets’ enterprise systems, exfiltrating sensitive data, and demanding big amounts of ransom ranging from $250,000 to tens of millions per attack.


  • Financial Loss
  • Sensitive Data Theft
  • File Encryption

Indicators of Compromise




  • 527c71c523d275c8367b67bbebf48e9f
  • 57bd8fba4aa26033fa080f390b31ed0e
  • cb8a14388e1da3956849d638af50fe9d
  • 50cc3a3bca96d7096c8118e838d9bc16
  • 92283d4d0e7e730c3f4f5485bfa48cb6


  • 8a99353662ccae117d2bb22efd8c43d7169060450be413af763e8ad7522d2451
  • 4cd00234b18e04dcd745cc81bb928c8451f6601affb5fa45f20bb11bfb5383ce
  • 08c6e20b1785d4ec4e3f9956931d992377963580b4b2c6579fd9930e08882b1c
  • f8cff7082a936912baf2124d42ed82403c75c87cb160553a7df862f8d81809ee
  • 216047c048bf1dcbf031cf24bd5e0f263994a5df60b23089e393033d17257cb5


  • 7902b08fb184cfb9580d0ad950baf048a795f7c1
  • 1206bd44744d61f6c31aba2234c34d3e35b5bac7
  • a0ee0761602470e24bcea5f403e8d1e8bfa29832
  • b286b58ed32b6df4ecdb5df86d7d7d177bb7bfaf
  • 3288f6f98bc2445f4ad688b562fe12414893c1ac

Domain Name



  • Block all threat indicators at your respective controls.
  • Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
  • Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
  • Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
  • Emails from unknown senders should always be treated with caution.
  • Never trust or open links and attachments received from unknown sources/senders.
  • Implement network segmentation to limit lateral movement within the network
  • Enforce the principle of least privilege (PoLP) to restrict user access rights. Limiting user permissions can prevent the rapid spread of ransomware across the network.
  • Implement robust monitoring and detection mechanisms to identify unusual or suspicious activities on the network. This includes the use of intrusion detection systems (IDS) and security information and event management (SIEM) solutions.