November 14, 2023 at 09:53AM
The FBI and CISA have released guidance on the Royal ransomware operation, suggesting that it may undergo a rebrand. The agencies have observed code overlaps and similarities in intrusion techniques between Royal and BlackSuit ransomware, indicating a potential rebrand or spinoff variant. The advisory provides information on the IOCs and mitigation guidance for both ransomware families. Royal has attempted to extort $275 million from over 350 victims since September 2022.
Meeting Notes Summary:
The US’ Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have released new guidance on the Royal ransomware operation, indicating that a rebranding or spinoff variant may be imminent. It is common for ransomware groups to rebrand after attracting too much attention from law enforcement. The security agencies have found similarities between Royal and BlackSuit ransomware families, suggesting a potential connection between them. They have observed the use of legitimate software and open source tools in the ransomware operations, as well as the presence of credential-stealing tools and remote access vectors on victim systems. Security researchers have also noted the similarities between Royal and BlackSuit ransomware, with high degrees of resemblance in functions, blocks, and jumps. The overlapping indicators of compromise (IOCs) between the two ransomware families were first identified in June. Western intelligence agencies are on high alert for attacks on critical national infrastructure (CNI), with CNI targeting being one of the primary concerns for national security experts. Royal has previously been known for targeting CNI sectors. The group has attempted to extort $275 million from over 350 known victims since September 2022. Different reports provide varying information on the ransom demands, ranging from $1 million to $11 million according to the FBI and CISA, and $250,000 to $2 million according to BlackBerry’s security unit. Microsoft’s incident response data identifies Royal as one of the most prolific ransomware groups, accounting for 12% of breaches. The advisory from CISA and the FBI provides more details on the indicators of compromise (IOCs) and mitigation guidance for both Royal and BlackSuit ransomware families.