The US government says Royal, one of the most active ransomware gangs in recent years, is preparing to rebrand or spin off under a new name, Blacksuit.
In update this week in a previously published joint advisory on the Royal ransomware gang, the FBI and the US cybersecurity agency CISA said the Blacksuit ransomware variant “shares a number of recognized coding characteristics similar to Royal,” confirming earlier findings by security researchers linking the two ransomware functions.
“There are indications that Royal may be preparing for a rebranding effort and/or a spinoff variant,” the government’s updated advisory says.
CISA did not say why it released the new guidance linking the two ransomware operations, and a spokesperson did not immediately comment when reached by TechCrunch.
Royal is a prolific ransomware gang accused of hacking, or more than 350 known victims worldwide with ransom demands exceeding $275 million. CISA and the FBI previously warned that Royal was targeting critical infrastructure sectors across the United States, including manufacturing, communications and healthcare organizations. The city of Dallas, Texas recently recovered from a ransomware attack that was later attributed to Royal.
It is not uncommon for ransomware gangs to create different ransomware variants, remain silent for long periods of time, or break up and split into entirely new groups, often in an attempt to avoid detection or capture by law enforcement. However, sanctions recently imposed by the US and UK governments are likely hampering the gang’s efforts to make money, as victims refuse to pay the hackers’ ransoms for fear of violating strict US sanctions laws.
The Conti connection
Security researchers previously discovered that Royal includes ransomware operatives from previous operations, including Conti, a prolific Russian-linked hacking group that disbanded in May 2022, shortly after the massive leak of the gang’s internal communications caused by the Russia’s part in its unprovoked invasion. of Ukraine.
After the breakup, Conti reportedly split into several gangs, some of which formed the Royal ransomware gang months later. Royal soon began targeting hospitals and healthcare organizations, and by 2023 had become one of the most prolific ransomware gangs.
In September 2023, the US and UK governments imposed joint sanctions against 11 accused members of the since-defunct Conti ransomware gang. Although members of the Conti gang had moved on to new ransomware operations, the UK’s National Crime Agency said at the time that paying ransoms to these individuals was “prohibited under these sanctions”.
Government sanctions are often imposed on people who cannot be apprehended by US law enforcement, such as those based in Russia, which does not typically deport its citizens. Sanctions make it harder for criminals to profit from ransomware by effectively prohibiting victims from paying a sanctioned person or entity. Sanctions are often targeted at individuals rather than the businesses themselves, in part because criminal groups would rename themselves or rename themselves to circumvent sanctions.
Allan Liska, threat intelligence analyst at Recorded Future, told TechCrunch that even a tacit connection to a sanctioned individual could run afoul of sanctions laws.
“Several members of the team behind the Royal ransomware are ex-Conti, so it’s possible that well-known companies started refusing to pay Royal after the sanctions were imposed,” Liska said. “Most importantly it’s enough to scare the ransomware dealers, the incident response companies and the insurance companies that support the victims.”
Ransomware gangs typically post portions of a victim’s stolen data on their leak sites in an attempt to blackmail the victim into paying a ransom. Ransomware gangs may remove a victim’s data once the victim negotiates or pays the ransom. It is not uncommon for victim organizations to rely on third-party companies, such as law firms and cyber insurance companies, to negotiate with the hackers or make ransom payments on their behalf.
The FBI has long advised victims not to pay hackers ransom, as this encourages further cyber attacks.
