Royal ransomware may soon rebrand, BlackSuit links confirmed The Register

The FBI and the US govt's Cybersecurity and Infrastructure Security Agency have released fresh guidance on the Royal ransomware operation, saying that evidence suggests it may soon undergo a long-speculated rebrand. The agencies didn't specify a reason for the rebrand or spinoff variant, but rebranding in the ransomware industry is fairly common. The security industry has highlighted a suspected link between Royal and BlackSuit for months and the latest update to the security agencies' advisory confirms code overlaps and similarities in intrusion techniques. CISA and the FBI believe the similarities between the two Windows ransomware families indicate either a potential rebrand of Royal altogether or at least a spinoff variant. "Royal and Blacksuit threat actors have been observed using legitimate software and open source tools during ransomware operations," the advisory read. "Threat actors have been observed using open source network tunneling tools such as Chisel and Cloudflared, as well as Secure Shell Client, OpenSSH, and MobaXterm to establish SSH connections." Trend Micro's May report on the similarities between the two predicted that BlackSuit was either a new variant developed by Royal itself, a copycat strain, or an affiliate of Royal's RaaS program that had made its own changes to the kit. Its security researchers also found striking similarities between the two strains with very little code differentiating the two. "After comparing both samples of the Royal and BlackSuit ransomware, it became apparent to us that they have an extremely high degree of similarity to each other," said Trend Micro. "In fact, they're nearly identical, with 98 percent similarities in functions, 99.5 percent similarities in blocks, and 98.9 percent similarities in jumps based on BinDiff, a comparison tool for binary files." It also cited security researchers that had noted YARA rules created for the ESXI variants of Royal ransomware also matched those of BlackSuit's ESXI version. These discoveries generally align with this week's updated security advisory which said that, according to the FBI's investigations, the overlapping indicators of compromise between the two families were first spotted in June. The advisory comes as Western intelligence agencies remain on high alert for attacks on critical national infrastructure, a threat that's been among the primary focuses for national security experts for the past few years, but throughout the previous 12 months especially. The UK's National Cyber Security Center published its annual review today and alongside the threat of AI to upcoming elections and ransomware more generally, fears of attacks targeting UK CNI have intensified in the past year, with defenders struggling to match the pace of the evolving threat. Royal was previously pinpointed as a group known for targeting CNI. The FBI and CISA previously warned of the group's threat in March, saying it had targeted "Numerous" CNI sectors, including but not limited to manufacturing, communications, healthcare, and education. Royal's other major attacks include one on the city of Dallas, Texas in May. The effects of the attack were reportedly wide-ranging, affecting various functions like the city's police department and a water utility company. The FBI and CISA revealed this week that Royal has attempted to extort a total of $275 million from more than 350 known victims since September 2022. BlackBerry's security unit reckons the ransom range isn't as large as the authorities suggest, with typical extortion attempts estimated to be between $250,000 and $2 million. Microsoft's incident response data pegged Royal as one of the most prolific ransomware groups in operation over the past year. When looking at the top ransomware strains that had achieved breaches, 12 percent were related to Royal. The advisory from CISA and the FBI includes more details on the full range of IOCs and mitigation guidance for both Royal and BlackSuit ransomware families.

This Cyber News was published on www.theregister.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000


Cyber News related to Royal ransomware may soon rebrand, BlackSuit links confirmed The Register

Royal ransomware may soon rebrand, BlackSuit links confirmed The Register - The FBI and the US govt's Cybersecurity and Infrastructure Security Agency have released fresh guidance on the Royal ransomware operation, saying that evidence suggests it may soon undergo a long-speculated rebrand. The agencies didn't specify a ...
10 months ago Theregister.com
BlackSuit ransomware - what you need to know - What's going on? A cybercriminal group calling itself BlackSuit has claimed responsibility for a series of ransomware attacks, including breaches at schools in central Georgia. And earlier in the year, a zoo in Tampa Bay was targeted by the same ...
10 months ago Tripwire.com
FBI: Royal ransomware asked 350 victims to pay $275 million - The FBI and CISA revealed in a joint advisory that the Royal ransomware gang has breached the networks of at least 350 organizations worldwide since September 2022. In an update to the original advisory published in March with additional information ...
10 months ago Bleepingcomputer.com
CDK Global says all dealers will be back online by Thursday - CDK Global says that its dealer management system, impacted by a massive IT outage following a June 18th ransomware attack, will be back online by Thursday for all car dealerships. The company is also working on restoring access to other affected ...
3 months ago Bleepingcomputer.com
BlackSuit ransomware gang claims attack on KADOKAWA corporation - The BlackSuit ransomware gang claimed a recent cyberattack on KADOKAWA corporation and is now threatening to publish stolen data if a ransom is not paid. KADOKAWA is a Japanese media conglomerate that operates numerous companies in film, publishing, ...
3 months ago Bleepingcomputer.com
BlackSuit ransomware gang claims attack on KADOKAWA corporation - The BlackSuit ransomware gang claimed a recent cyberattack on KADOKAWA corporation and is now threatening to publish stolen data if a ransom is not paid. KADOKAWA is a Japanese media conglomerate that operates numerous companies in film, publishing, ...
3 months ago Bleepingcomputer.com
The Top 10 Ransomware Groups of 2023 - This article takes an in-depth look at the rise in ransomware attacks over the past year and the criminal groups driving the surge in cyber extortion. LockBit has established itself as one of the most notorious ransomware operations since emerging on ...
8 months ago Securityboulevard.com
A type of malicious software called Royal Ransomware designed for Linux systems is attacking VMware ESXi servers - The latest ransomware operation to target Linux devices is Royal Ransomware. It is specifically designed to encrypt VMware ESXi virtual machines. Other ransomware gangs, such as Black Basta, LockBit, BlackMatter, AvosLocker, REvil, HelloKitty, ...
1 year ago Bleepingcomputer.com
Researchers link 3AM ransomware to Conti, Royal cybercrime gangs - Security researchers analyzing the activity of the recently emerged 3AM ransomware operation uncovered close connections with infamous groups, such as the Conti syndicate and the Royal ransomware gang. The 3AM ransomware gang's activity was first ...
8 months ago Bleepingcomputer.com
BlackSuit Claims Dozens of Victims With Ransomware - The BlackSuit ransomware gang has leaked stolen data from attacks against 53 organizations spanning a year. Researchers from ReliaQuest analyzed in-depth an attack that took place in April from the ransomware group, which has been active since May ...
4 months ago Darkreading.com
Waiting for the BlackCat rebrand - We saw another ransomware operation shut down this week after first getting breached by law enforcement and then targeting critical infrastructure, putting them further in the spotlight of the US government. While the Tor onion domain seizure was a ...
7 months ago Bleepingcomputer.com
Group behind LockBit ransomware claims responsibility for cyberattack on Royal Mail - The LockBit ransomware group has been linked to a cyberattack on the UK's leading mail delivery service, Royal Mail, which has caused severe disruption to their international shipping services. LockBitSupport, the ransomware gang's public-facing ...
1 year ago Bleepingcomputer.com
Japanese anime and gaming giant admits data leak following ransomware attack - Japanese media giant Kadokawa confirmed that some of its data was leaked in the ransomware attack last month. In a statement on Saturday, Kadokawa said that the leaked data included business partner information, including contracts and other ...
3 months ago Therecord.media
Hive Ransomware: A Detailed Analysis - This past week, on January 26th, to be exact, the FBI successfully shut down the Hive ransomware group and saved victims over a hundred million dollars in ransom payments and remediation costs. As ransomware continues to be a national security threat ...
1 year ago Heimdalsecurity.com
The Week in Ransomware - Governments struck back this week against members of ransomware operations, imposing sanctions on one threat actor and sentencing another to prison. On Tuesday, the Australian, US, and UK governments announced sanctions against Aleksandr Gennadievich ...
8 months ago Bleepingcomputer.com
Ransomware Roundup - The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This edition of the Ransomware Roundup covers the 8base ransomware. 8base ...
9 months ago Feeds.fortinet.com
Medusa Ransomware Turning Your Files into Stone - Unit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in tactics toward extortion, characterized by the introduction in early 2023 of their dedicated leak site called the Medusa Blog. The Unit 42 ...
8 months ago Unit42.paloaltonetworks.com
Hackers Impersonate as Security Researcher Aid Ransom Victims - Hackers impersonate security researchers to exploit trust and credibility. Cybersecurity researchers at Arctic Wolf Labs recently discovered that hackers are actively impersonating security researchers to aid ransomware victims. Compounding the ...
8 months ago Cybersecuritynews.com
Targeting homeowners' data - As these companies obtain a large amount of sensitive information from their customers, they become attractive targets for ransomware gangs to conduct double-extortion attacks. Finland is also warning of Akira ransomware increasingly targeting ...
8 months ago Bleepingcomputer.com
Best Ransomware Protection Practices for Midsize Organizations - Ransomware Protection has emerged as a crucial step in cybersecurity since ransomware attacks have become a major threat to businesses of all sizes, including midsize organizations. Ransomware attacks can be delivered via email attachments or links, ...
9 months ago Securityboulevard.com
The Week in Ransomware - Today's column brings you two weeks of information on the latest ransomware attacks and research after we skipped last week's article. BleepingComputer has learned that some of the BlackCat/ALPHV affiliates are not buying the explanation and have ...
9 months ago Bleepingcomputer.com
Ransomware review: January 2024 - This provides the best overall picture of ransomware activity, but the true number of attacks is far higher. In February, there were 376 ransomware victims, marking an unusually active month for the historically subdued time period. February didn't ...
6 months ago Malwarebytes.com
Ransomware trends and recovery strategies companies should know - Ransomware attacks can have severe consequences, causing financial losses, reputational damage, and operational disruptions. The methods used to deliver ransomware vary, including phishing emails, malicious websites, and exploiting vulnerabilities in ...
9 months ago Helpnetsecurity.com
Top 10 Notorious Ransomware Gangs of 2023 - By employing a multitude of advanced techniques like double extortion along with other illicit tactics, ransomware groups are continually evolving at a rapid pace. Here below, we have mentioned all the types of ransomware used by the threat actors ...
9 months ago Cybersecuritynews.com
The Week in Ransomware - This week was pretty quiet on the ransomware front, with most of the attention on the seizure of the BreachForums data theft forum. That does not mean there was nothing of interest released this week about ransomware. A report by CISA said that the ...
4 months ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)