The Cybersecurity and Infrastructure Security Agency (CISA) has reported that cybercriminals are using a variant of the Royal ransomware to target American and international organizations. The cybercriminals gain access to the target’s system and steal large amounts of data before deploying their encryption malware.
The Royal ransomware is distinct in its epidemic techniques, as the cybercriminals do not include ransom amounts or payment instructions in the initial ransom note. Instead, they demand that victims interact with them directly. While the group has made ransom demands ranging from $1 million to $11 million in Bitcoin, these are not usually included in the initial ransom note.
According to Darkfeed, the Royal ransomware has listed 112 victims on its leak site throughout its existence. However, ransomware gangs often do not name all of their victims, so the actual number of victims may be much higher. Cybersecurity firm Malwarebytes reports that the Royal gang claimed 19 victims in February alone, ranking them among the most prolific ransomware groups. Only LockBit, BlackCat, and Vice Society have victimized more organizations.
Royal was first discovered in 2022 and initially used third-party ransomware like BlackCat and Zeon. However, since September of last year, the gang has been deploying its own ransomware. The group gained notoriety after adding the UK’s Silverstone Formula One motor racing circuit to its list of victims.
