Royal Ransomware Extortions Surpass $275 Million, FBI Says

The Royal ransomware operation has claimed over 350 known victims worldwide in the past year, with ransom demands exceeding 275 million USD, according to an advisory from the FBI.

Since September 2022, Royal ransomware operators have been using custom malware to victimize vulnerable organizations in the US and other country, the feds say.

In this time, Royal threat actors have successfully targeted over 350 known victims worldwide, with ransom demands ranging from USD 1 million to USD 11 million. In total so far, the extortionists have demanded USD 275 million to unfreeze systems or keep stolen data under wraps.

Royal employs the typical double-extortion technique, whereby it exfiltrates data before encryption, then publishes the victim’s data on a leak site if a ransom is not paid.

“Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems,” according to the joint notice by the FBI and CISA.

Phishing is the most successful vectors used for initial access, the advisory notes, which is true for most hacking operations.

The memo, which was updated yesterday to include Royal’s latest tactics, techniques and procedures (TTPs) and indicators of compromise (IOCs), says the Royal cybercrime enterprise differs from most cybercime operations in that it doesn’t actually specify ransom amounts or payment instructions in the initial ransom note.

“Instead, the note, which appears after encryption, requires victims to directly interact with the threat actor via a .onion URL (reachable through the Tor browser),” according to the advisory.

FBI and CISA urge organizations everywhere to review the documentation and carry out the recommendations found in the mitigations section to reduce the likelihood and impact of ransomware incidents.

In December 2022, Royal claimed responsibility for an attack on telecom company Intrado, threatening to publish sensitive data if ransom demands were not met.

That same month, the US Department of Health and Human Services (HHS) released a security advisory pointing to Royal as a new ransomware campaign attacking healthcare organizations in the United States.

In May this year, Royal carried out a similar attack on the city of Dallas (TX), compromising critical systems, including emergency services. Notably, the attack forced 911 dispatchers to manually write down instructions for responding officers, while officers responded via personal phones and radios.

In a post-incident statement, city officials said they were “exploring all options to remediate this incident,” suggesting they were considering paying ransom if necessary.

Also worth noting, Royal doesn’t work under the Ransomware-as-a-Service (RaaS) model, but rather operates as a private group without affiliates.

According to CISA, there are indications that Royal may be preparing for a spin-off effort. Blacksuit ransomware is believed to be one such offshoot, as it shares a number of identified coding characteristics with Royal.