ICIC
RU

Royal

High ConfidenceHigh Threat

DEV-0569 • Zeon

Royal ransomware was a ransomware operation active from September 2022 to mid-2023, believed to be composed of former Conti members. The group targeted organizations across healthcare, education, and manufacturing sectors, demanding ransoms ranging from $1 million to $11 million. Royal was notable for their callback phishing techniques and use of legitimate tools for lateral movement. The operation is believed to have rebranded as BlackSuit ransomware in 2023.

Origin: Russia
Sponsor: Cybercriminal (No State Sponsor)
Active: 2022 - Present
Victims: 300+ organizations
Advanced
Active
Financial Gain
Risk Assessment
77
Composite Risk Score
High Risk
ARCS Compliance80
Escalation Risk78
Grievance Index68
Infrastructure Impact82
History & Evolution

Royal ransomware was a ransomware operation active from September 2022 to mid-2023, believed to be composed of former Conti members. The group targeted organizations across healthcare, education, and manufacturing sectors, demanding ransoms ranging from $1 million to $11 million. Royal was notable for their callback phishing techniques and use of legitimate tools for lateral movement. The operation is believed to have rebranded as BlackSuit ransomware in 2023.

Targeting

Target Sectors

HealthcareManufacturingGovernmentEducation

Target Regions

United StatesEurope
Attribution & Affiliations

Attributed to Cybercriminal (No State Sponsor) (Russia). Attribution confidence: High.

Intelligence Assessment
High
Threat Level
Moderately
Targeting
Moderately
Adaptability
High
Persistence
Periodic
Op Tempo
Rebranded (BlackSuit)
Status

Future Outlook

Royal is expected to continue operations targeting Healthcare sectors.

Timeline of Key Events
2022
Major

First observed activity of Royal

2024
Moderate

Continued active operations