November 14, 2023 at 09:27AM
The Royal ransomware gang has targeted over 350 organizations worldwide, demanding over $275 million in ransom. The cybercriminals are potentially planning to rebrand their operation, according to the US cybersecurity agency CISA and the FBI. The gang has attacked entities in critical infrastructure, education, healthcare, and manufacturing sectors, demanding payments in Bitcoin ranging from $1 million to $11 million. CISA and the FBI have updated their advisory with additional indicators of compromise and tactics associated with Royal attacks. The agencies also warn of a potential rebranding or spin-off, as another ransomware group called Blacksuit shares coding characteristics with Royal.
Key takeaways from the meeting notes are as follows:
1. The Royal ransomware gang has targeted over 350 organizations worldwide, demanding ransoms exceeding $275 million.
2. The cybercriminals behind Royal have attacked entities in critical infrastructure, education, healthcare, and manufacturing sectors.
3. Ransom demands from Royal range from $1 million to $11 million in Bitcoin.
4. CISA and the FBI issued an alert in March 2023, urging organizations to implement security best practices to protect against Royal and other ransomware attacks.
5. The agencies have updated their advisory to provide additional indicators of compromise (IoCs) and update the list of observed tactics, techniques, and procedures (TTPs) associated with Royal attacks.
6. There is a potential rebranding or spin-off of the Royal operation, with similarities identified between Royal and Blacksuit ransomware.
7. Royal typically gains initial access through phishing and abuse of remote desktop protocol (RDP), web vulnerabilities, and initial access brokers.
8. The threat actors use various tools for persistence, lateral movement, data harvesting, and exfiltration.
9. Royal publishes victim data on its leak site if a ransom is not paid.
10. Royal has targeted critical infrastructure sectors, including manufacturing, communications, healthcare, public healthcare, and education.
11. Trend Micro has linked Royal to the Conti ransomware group and identified it as a rebranded version of Zeon ransomware.
12. The US Department of Health and Human Services (HHS) has warned healthcare organizations about Royal ransomware attacks.