Podcasts
Ransomware Leak Sites
Royal
Active Since
September 2022 (last active July 2023)
Total Victims as of January 2024
179
Known Forum Aliases
N/A
Active Forum Accounts
N/A
Top Targeted Geographies
US, Canada, Germany
Royal isn’t a RaaS group and doesn’t appear to work with affiliates.
There is speculation that Royal is composed of former members of Conti ransomware gang, due to their use of similar ransom notes and callback phishing techniques.
Royal initially used third-party ransomware including BlackCat and Zeon before developing its own malware, written in C++, that infects Windows systems and deletes all Volume Shadow Copies to prevent data recovery. In February 2023, Royal operators added the ability to encrypt Linux devices and target VMware ESXi virtual machines.
In March 2023, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory on Royal, warning that the group targets critical infrastructure sectors.
Royal’s leak site hasn’t been active since July 2023 and researchers have drawn similarities between its ransomware strain and that of a newer operation called BlackSuit, which could suggest Royal has rebranded.
Related Content
Videos
How can you identify ransomware operators targeting you on the dark web?
Knowledge Base
Akira
Akira appears to be a novel ransomware, written in C++, with versions targeted both at Windows machines and Linux operating systems. It has quickly become one of the most prolific ransomware groups.
Knowledge Base
BlackBasta
BlackBasta is a ransomware operation that is notable for its high volume of attacks, use of custom tools, and suspected links to cybercriminal group FIN7.
Knowledge Base
BlackCat
The RaaS group BlackCat (also known as ALPHV or Noberus) is believed to include developers and money launderers from the former DarkSide ransomware group, most infamous for the Colonial Pipeline attack.
Knowledge Base
Cl0p
Cl0p is notable for its approach of using vulnerabilities in supply chain software to target multiple organizations, announcing them in a batch at a later date.
