Ransomware Group
Royal
Also known as: Royal Ransomware, DEV-0569
Status: inactive • First seen 2022-09 • 350+ known victims
Royal was run by experienced cybercriminals who previously worked with Conti, one of the most notorious ransomware gangs. They specifically went after hospitals, schools, and city governments. The FBI warned about them multiple times because they were hitting critical services. They've since rebranded to 'BlackSuit' but the same people are behind it.
Overview
Royal was a highly sophisticated ransomware operation that targeted critical infrastructure, particularly healthcare and education. The group is believed to be composed of experienced members from the defunct Conti group. In 2024, Royal rebranded to BlackSuit ransomware.
Target Industries
Healthcare, Education, Government, Manufacturing, Critical Infrastructure, Legal Services
How They Attack
- • Callback phishing (fake invoice emails)
- • SEO poisoning with fake software downloads
- • Exploiting public-facing applications
- • Using legitimate remote access tools (AnyDesk, LogMeIn)
- • Cobalt Strike for lateral movement
Notable Victims
City of Dallas (2023), Silverstone Circuit (2023), Multiple US school districts, Various healthcare organizations
Is your business exposed?
How to Protect Against Royal
- 1.
Block callback phishing domains at email gateway
- 2.
Monitor for unauthorized remote access tool installations
- 3.
Implement application whitelisting
- 4.
Block or monitor Cobalt Strike indicators
- 5.
Train employees on callback phishing tactics
MITRE ATT&CK Techniques
Is your business exposed?
Check if your company data is circulating on the dark web
Free scan • No credit card required