The FBI and CISA revealed in a joint advisory that the Royal ransomware gang has breached the networks of at least 350 organizations worldwide since September 2022. In an update to the original advisory published in March with additional information discovered during FBI investigations, the two agencies also noted that the ransomware operation is linked to more than $275 million in ransom demands. "Since September 2022, Royal has targeted over 350 known victims worldwide and ransomware demands have exceeded 275 million USD," the advisory reads. "Royal conducts data exfiltration and extortion prior to encryption and then publishes victim data to a leak site if a ransom is not paid. Phishing emails are among the most successful vectors for initial access by Royal threat actors." In March, the FBI and CISA first shared indicators of compromise and a list of tactics, techniques, and procedures to help defenders detect and block attempts to deploy Royal ransomware payloads on their networks. The joint advisory was issued after the Department of Health and Human Services security team revealed in December 2022 that the ransomware operation was behind multiple attacks against U.S. healthcare organizations. The advisory update also notes that Royal could plan a rebranding initiative and/or a spinoff variant, with BlackSuit ransomware exhibiting several coding characteristics shared with Royal. BleepingComputer reported in June that the Royal ransomware gang has been testing a new BlackSuit encryptor, which shares many similarities with the operation's usual encryptor. While it was believed that the Royal ransomware operation would rebrand since May when the BlackSuit ransomware operation surfaced, this never happened. Royal is still actively targeting enterprise organizations using BlackSuit in limited attacks. Since BlackSuit is a self-contained operation, Royal may be planning to launch a subgroup focused on certain types of victims since a rebrand no longer makes sense once similarities have been discovered between the two encryptors. Royal Ransomware is a private operation of highly skilled threat actors known for previously working with the infamous Conti cybercrime gang. While they initially used ransomware encryptors from other operations like ALPHV/BlackCat, likely to avoid drawing attention, the gang has since shifted to deploying their own tools. While their first encryptor, Zeon, dropped ransom notes reminiscent of those generated by Conti, they switched to the Royal encryptor after undergoing a rebranding in mid-September 2022. Even though they typically infiltrate targets' networks by exploiting security vulnerabilities in publicly accessible devices, Royal operators are also known for callback phishing attacks. The modus operandi of Royal operators involves encrypting their targets' enterprise systems and demanding substantial ransoms ranging from $250,000 to tens of millions per attack. FBI shares AvosLocker ransomware technical details, defense tips. FBI: Ransomware gangs hack casinos via 3rd party gaming vendors. CISA shares vulnerabilities, misconfigs used by ransomware gangs. FBI: Avoslocker ransomware targets US critical infrastructure.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000