Ransomware royale: US confirms Royal, BlackSuit are linked

The FBI and the US govt's Cybersecurity and Infrastructure Security Agency (CISA) have released fresh guidance on the Royal ransomware operation, saying that evidence suggests it may soon undergo a long-speculated rebrand.

The agencies didn't specify a reason for the rebrand or spinoff variant, but rebranding in the ransomware industry is fairly common. BlackMatter was believed to be a DarkSide spinoff, Lorenz used to be .sZ40, Hunters International is thought to be Hive reborn (though the former contests this), NoEscape was previously Avaddon etc, etc. The list goes on.

In many cases, groups that have attracted too much attention from law enforcement – for example DarkSide, which got a lot of heat after the Colonial Pipeline attack – often "go underground" and purport to disband forever, only to re-emerge under a new guise months or even years later.

Just this week security researchers have already linked Ransomed.vc, which claimed to have shut shop for good less than a week ago, to a new group called RansomCorp.

RoyalSuit?

The security industry has highlighted a suspected link between Royal and BlackSuit for months and the latest update to the security agencies' advisory confirms code overlaps and similarities in intrusion techniques.

CISA and the FBI believe the similarities between the two Windows ransomware families indicate either a potential rebrand of Royal altogether or at least a spinoff variant.

"Royal and Blacksuit threat actors have been observed using legitimate software and open source tools during ransomware operations," the advisory read. "Threat actors have been observed using open source network tunneling tools such as Chisel and Cloudflared, as well as Secure Shell (SSH) Client, OpenSSH, and MobaXterm to establish SSH connections. 

"The publicly available credential-stealing tool Mimikatz and password harvesting tools from Nirsoft have also been found on victim systems. Legitimate remote access tools AnyDesk, LogMein, and Atera Agent have also been observed as backdoor access vectors."

Trend Micro's May report on the similarities between the two predicted that BlackSuit was either a new variant developed by Royal itself, a copycat strain, or an affiliate of Royal's RaaS program that had made its own changes to the kit.

Its security researchers also found striking similarities between the two strains with very little code differentiating the two.

"After comparing both samples of the Royal and BlackSuit ransomware, it became apparent to us that they have an extremely high degree of similarity to each other," said Trend Micro. "In fact, they're nearly identical, with 98 percent similarities in functions, 99.5 percent similarities in blocks, and 98.9 percent similarities in jumps based on BinDiff, a comparison tool for binary files."

It also cited security researchers that had noted YARA rules created for the ESXI variants of Royal ransomware also matched those of BlackSuit's ESXI version.

These discoveries generally align with this week's updated security advisory which said that, according to the FBI's investigations, the overlapping indicators of compromise (IOCs) between the two families were first spotted in June.

The advisory comes as Western intelligence agencies remain on high alert for attacks on critical national infrastructure (CNI), a threat that's been among the primary focuses for national security experts for the past few years, but throughout the previous 12 months especially.

The UK's National Cyber Security Center (NCSC) published its annual review today and alongside the threat of AI to upcoming elections and ransomware more generally, fears of attacks targeting UK CNI have intensified in the past year, with defenders struggling to match the pace of the evolving threat.

Royal was previously pinpointed as a group known for targeting CNI. The FBI and CISA previously warned of the group's threat in March, saying it had targeted "numerous" CNI sectors, including but not limited to manufacturing, communications, healthcare, and education.

The warning came just a few months after the Department of Health and Human Services drew attention to the group [PDF] and how it target the healthcare sector.

It pointed to previous attacks on an unnamed US telecoms company and known incidents where the group duped victims into thinking its encryptor was in fact legitimate healthcare patient data software.

Since then, Royal's other major attacks include one on the city of Dallas, Texas in May. The effects of the attack were reportedly wide-ranging, affecting various functions like the city's police department and a water utility company.

The FBI and CISA revealed this week that Royal has attempted to extort a total of $275 million from more than 350 known victims since September 2022.

Data regarding the group's ransom methodology differs slightly between reports. CISA and the FBI said ransom demands aren't included in the ransom note, but typically range between $1 million and $11 million. 

• Strangely enough, no one wants to buy a ransomware group that has cops' attention
• A right Royal pain in the Dallas: City IT systems crippled by ransomware
• NCSC says cyber-readiness of UK's critical infrastructure isn't up to scratch
• Florida man jailed after draining $1M from victims in crypto SIM swap attacks

BlackBerry's security unit reckons the ransom range isn't as large as the authorities suggest, with typical extortion attempts estimated to be between $250,000 and $2 million.

Microsoft's incident response data pegged Royal as one of the most prolific ransomware groups in operation over the past year. When looking at the top ransomware strains that had achieved breaches, 12 percent were related to Royal. The group was closely behind BlackCat and BlackBasta – both with 14 percent – and LockBit with 16 percent.

The advisory from CISA and the FBI includes more details on the full range of IOCs and mitigation guidance for both Royal and BlackSuit ransomware families. ®