The prolific Royal ransomware group, which has demanded more than $275 million in ransom from as many as 350 targets since September 2022, may be preparing to rebrand itself or spin off a variant, according to a U.S. government advisory.

The FBI and Cybersecurity and Infrastructure Security Agency (CISA) wrote in its advisory this week that the threat group, which has targeted organizations in such sectors as manufacturing, healthcare, communications, education, and state and local governments, is continuing to evolve, noting that the BlackSuit ransomware that arose in May includes “a number of identified coding characteristics similar to Royal.”

Royal began using the BlackSuit encryptor in some of its attacks earlier this year, leading some cybersecurity researchers to question whether Royal was behind the rise of BlackSuit and if Royal planned to rebrand itself as BlackSuit. The advisory from the FBI and CISA echoes that speculation.

In a report in May, Trend Micro wrote about ongoing speculation linking Royal to BlackSuit and outlined similarities between variants of both, writing that “they have an extremely high degree of similarity to each other.” The cybersecurity firm said that included 98% similarities in functions, 99.5% similarities in blocks, and 98.9% similarities in jumps.

“The emergence of BlackSuit ransomware (with its similarities to Royal) indicates that it is either a new variant developed by the same authors, a copycat using similar code, or an affiliate of the Royal ransomware gang that has implemented modifications to the original family,” they wrote.

Success Breeds Imitators

One possible reason for the rise of BlackSuit was the success of Royal and the high-profile Conti group – from which Royal emerged after Conti shut down operations in mid-2022 – inspired others to develop a similar threat in BlackSuit, the researchers wrote, adding that “another option is that BlackSuit emerged from a splinter group within the original Royal ransomware gang.”

Speculation about Royal rebranding emerged around the time of the group’s attack on the city of Dallas that caused widespread disruption to city services for more than a month, affecting such agencies as the Dallas Police and Fire departments and court systems. Royal reported got into the city systems in April vai a stolen domain service account and exfiltrated 1.169TB of files. The city said 30,253 people – including 26,212 Texas residents – had their data compromised.

Still, Royal has not yet rebranded into BlackSuit or any other name, though the FBI and CISA advisory says that possibility is still on the table.

The ransomware group was one of several – including the BlackBasta collective and SilentRansomwareGroup – that emerged from Conti, with some members of Royal likely among those who developed the Ryuk ransomware, the predecessor to Conti.

Encryption and Extortion

Royal’s attacks included not only ransomware – encrypting victims’ files and then demanding a ransom before decrypting them – but also extortion, exfiltrating the data and threatening to leak it unless the ransom is paid. Ransoms demanded have ranged from about $250,000 to more than $10 million.

According to a report this year from cybersecurity firm Malwarebytes, Royal 66% of the time uses phishing emails carrying malicious PDFs to gain initial access into their targets’ systems. The FBI and CISA noted other methods include abusing Remote Desktop Protocol (RDP), public-facing applications, and initial access brokers.

Malwarebytes also noted that Royal, like other groups, uses a range of legitimate tools – such as Cobalt Strike, Nsudo system management, and PsExec, a Microsoft tool – in their attacks to make them more difficult to detect. The group also was known for re-infecting victims and 64% of its targets were in the United States.

Coalition, a cyber insurance and security services provider, said in a report that ransomware was the key driver of the 12% year-over-year growth in overall insurance claims in the first half of 2023 – with ransomware-related claims jumping 27% — and that Royal accounted for 12% of reported variants, joining BlackCat (at 15%) and BlackBasta (10%) in the top three.

HHS Sounds the Alarm

Among federal agencies, the Health and Human Services Department issued an alert about Royal in December 2022, noting that the group by that time had targeted organizations in the healthcare field and added that “while most of the known ransomware operators have performed Ransomware-as-a-Service, Royal appears to be a private group without any affiliates while maintaining financial motivation as their goal.”

The FBI and CISA issued its first alert about the ransomware group, including Indicators of Compromise (IoC), in March and updated it this week. They said Royal initially used the Zeon malware a loader and encryptor, it began using its own custom-made encryption since September 2022.

“After gaining access to victims’ networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems,” the agencies wrote. “Royal ransomware uses a unique partial encryption approach that allows the threat actor to choose a specific percentage of data in a file to encrypt. This approach allows the actor to lower the encryption percentage for larger files, which helps evade detection.”

They added that Royal doesn’t tend to include the amount of ransom demanded or payments instructions in the initial ransom note, but instead tells victims to interact with them directly via a .onion URL that can be reached through the Tor browser.