Background
Royal ransomware emerged in September 2022, rapidly establishing itself as one of the most active and financially damaging ransomware operations targeting critical infrastructure in the United States and globally. The group is assessed to be composed of former Conti ransomware operators, exhibiting organizational discipline, advanced TTPs, and ransom demands consistent with Conti-era practices. Initial operations operated under the "Zeon" name before rebranding to Royal.
Unlike most ransomware operations that function as affiliate-based Ransomware-as-a-Service (RaaS), Royal operated as a private group with select affiliates, maintaining tighter control over victim selection, negotiation tactics, and public communications. This selective model allowed the group to maintain consistent high-quality attacks against large organizations rather than the volume-based approach of open RaaS platforms. Ransom demands typically ranged from $1 million to $11 million, with cumulative demands exceeding $275 million as of CISA's March 2023 advisory.
CISA issued a joint advisory with the FBI in March 2023 designating Royal a significant threat to critical infrastructure, particularly healthcare and public health organizations. In mid-2023, Royal activity declined and BlackSuit emerged as an apparent successor or rebranding โ sharing near-identical code characteristics with Royal ransomware, indicating continuity of the core development team and operational structure.
Notable Campaigns
Dallas, Texas Municipal Attack (May 2023) โ Royal ransomware attacked the City of Dallas, disrupting 911 dispatch services, court systems, and water utility management. The attack forced Dallas police and fire departments to revert to manual communications. Recovery costs exceeded $8 million, and 800 gigabytes of data were exfiltrated and published on the Royal leak site.
U.S. Healthcare Sector Targeting (2022-2023) โ Royal conducted multiple high-profile attacks against U.S. hospitals and healthcare networks. Notable victims included CommonSpirit Health (one of the largest U.S. nonprofit health systems), Baptist Health System, and Silverado Senior Living. Hospital attacks resulted in patient diversions, procedure cancellations, and documented impacts on patient care timelines.
Kansas City Area Transportation Authority (2023) โ Royal disrupted the Kansas City Area Transportation Authority's operations, affecting transit systems serving hundreds of thousands of daily riders. The attack demonstrated Royal's targeting of transportation critical infrastructure.
BlackSuit Continuation (2023-2024) โ Following the transition to BlackSuit branding, the group maintained consistent activity. The FBI documented that by July 2024, BlackSuit had issued ransom demands totaling over $500 million, with individual demands reaching as high as $60 million.
Tactics, Techniques & Procedures
Initial Access via Phishing and Callback Fraud โ Royal employs multiple initial access vectors. Standard spearphishing with malicious attachments or links remains common (T1566.001). A distinctive Royal technique is "callback phishing" โ sending phishing emails containing phone numbers rather than malicious links, then social engineering victims who call back into downloading remote access tools. The group also exploits internet-facing vulnerabilities in VPNs and public applications (T1190).
Partial Encryption for Speed โ Royal's ransomware uses a distinctive "partial encryption" technique, encrypting only a configurable percentage of each file rather than the entire file. This approach dramatically accelerates encryption speed, allowing the ransomware to encrypt more files before detection and response. Despite only partially encrypting files, the damage renders them effectively unrecoverable without the decryption key.
Defense Evasion โ Royal disables Windows Defender and other endpoint security products through PowerShell commands and Group Policy modifications (T1562.001). The group uses Cobalt Strike with BYOVD (Bring Your Own Vulnerable Driver) techniques to terminate EDR processes that cannot be disabled through normal means. Event logs are cleared to hamper forensic investigation (T1070.001).
Lateral Movement and Ransomware Deployment โ Following initial access, Royal uses Cobalt Strike and NetScan for network reconnaissance. SMB is used for lateral movement (T1021.002), with PsExec and Group Policy for domain-wide ransomware deployment. ESXi-targeting variants encrypt VMware virtual machine disk files, causing mass VM outages.
Tools & Malware
- Royal Ransomware โ Custom 64-bit Windows ransomware written in C++, using AES-256 encryption with RSA-2048 for key protection. Supports partial encryption mode. Encrypted files receive a .royal extension. Includes ESXi Linux variant for VMware environment encryption.
- BlackSuit Ransomware โ Near-identical successor to Royal, featuring the same partial encryption approach and C++ codebase. Encrypted files receive a .blacksuit extension. Maintained consistent targeting patterns and ransom demands with Royal.
- Batloader โ A malware loader used for initial access, distributed via SEO-poisoned search results and malicious advertising campaigns.
- Qakbot โ Banking trojan used as initial access vehicle (before the August 2023 FBI disruption), providing persistent access and reconnaissance before ransomware deployment.
- Cobalt Strike โ Post-exploitation framework used for C2, lateral movement, and ransomware deployment coordination.
- NetScan โ A network scanning utility used for internal network reconnaissance and target identification.
- AnyDesk / Remote Access Tools โ Legitimate remote desktop tools used for persistent access and "hands-on-keyboard" activity during attacks.
- Mimikatz โ Used for credential dumping from LSASS to support lateral movement across victim networks.
Indicators & Detection
Callback Phishing Awareness โ Train employees to recognize callback phishing emails that provide phone numbers under the guise of subscription renewals, security alerts, or helpdesk notifications. Calls resulting in remote desktop software installation should trigger immediate security notification. Royal frequently impersonates legitimate software companies and security services in these campaigns.
File System and VSS Monitoring โ Monitor for Volume Shadow Copy deletion commands (vssadmin.exe delete shadows, wmic shadowcopy delete) which Royal uses to prevent file recovery. Alert on shadow copy deletion by non-backup software. Monitor for processes that write .royal or .blacksuit file extensions across multiple directories simultaneously.
ESXi Protection โ Segregate ESXi management interfaces from general enterprise networks. Restrict SSH access to ESXi hosts to authorized management systems only. Monitor for unauthorized ESXi API access and alert on SSH logins from unexpected source IPs. Implement VMware-level access controls and audit ESXi authentication logs.
Healthcare-Specific Guidance โ Healthcare organizations (Royal's primary target) should implement the CISA Healthcare Cybersecurity Performance Goals. Maintain offline backups of electronic health records and clinical system configurations. Develop and practice EHR downtime procedures to maintain patient care during ransomware incidents. Network-segment clinical systems from administrative networks.