cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Royal Ransomware has stolen US$275m from 350 victims since September 2022

The Royal Ransomware hacking group has been busy over the past year, with a new report having found the group has successfully stolen US$275 million (roughly A$431.6 million) since September last year.

user icon Daniel Croft
Tue, 14 Nov 2023
Royal Ransomware has stolen US$275m from 350 victims since September 2022
expand image

According to a joint advisory created by the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA), the group managed to hit 350 organisations over the period.

“Since September 2022, Royal has targeted over 350 known victims worldwide, and ransomware demands have exceeded 275 million USD,” read the advisory.

According to the advisory, a number of threat actors have made use of Royal Ransomware to compromise organisations in the US and around the globe.


According to the FBI and CISA, threat actors using the software gain access to victim networks through phishing in two-thirds of cases (66.7 per cent). Royal actors also use Remote Desktop Protocol, brokers and the exploitation of public-facing apps.

Once in, the threat actors download multiple programs by communicating with command and control (C2) infrastructure, allowing them to disable anti-virus and steal large amounts of data before encrypting data on the victim’s systems, as is standard in double extortion attacks.

Initial attacks do not include ransom amounts or instructions for payment, but instead ask the victim to contact them on the dark web.

“Royal actors have targeted numerous critical infrastructure sectors, including, but not limited to, manufacturing, communications, healthcare and public healthcare (HPH), and education,” the advisory continued.

Ransoms have ranged widely between US$1 million and US$11 million, with victims required to pay in bitcoin.

The FBI and CISA advisory has said there is evidence to suggest that Royal Ransomware may be looking to rebrand, having found that BlackSuit ransomware uses similar coding characteristics.

“Royal and BlackSuit threat actors have been observed using legitimate software and open-source tools during ransomware operations,” said the advisory.

“Threat actors have been observed using open-source network tunneling tools such as Chisel and Cloudflare, as well as Secure Shell (SSH) Client, OpenSSH, and MobaXterm to establish SSH connections.

“The publicly available credential-stealing tool Mimikatz and password harvesting tools from Nirsoft have also been found on victim systems.

“Legitimate remote access tools AnyDesk, LogMeIn, and Atera Agent have also been observed as backdoor access vectors.”

Royal Ransomware was first spotted in January last year, with operations ramping up dramatically that September, when it shifted from using encryption software from other threat groups like ALPHV (also known as BlackCat), likely in an effort to throw investigators.

The group was known for previously working for the Conti cyber gang, and its first encryptor, Zeon, reflected its history, with ransom notes being very similar to Conti’s. After rebranding in September 2022, it dropped the Royal encryptor, which it has used ever since.

The full technical breakdown of Royal Ransomware can be found on the CISA website.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.