Inside the Operations of the Royal Ransomware Gang

The Royal ransomware gang emerged in September 2022, and was quickly established as a critical threat. The members are believed to be former members of the notorious Conti gang. In May 2023, the Royal ransomware gang was linked to a newly discovered encryptor known as BlackSuit. This finding suggests the group may be rebranding as a result of increased pressure from law enforcement due to the fallout from their attack on Dallas, Texas on May 3rd. However, currently, no rebranding has occurred with the threat group retaining its Royal brand and deploying BlackSuit in limited attacks. An insight into the Royal gang was provided by Red Sense's head of research and development, Yelisey Bohuslavskiy who has tracked the Conti group extensively.

"The direct heir of Conti, comprising over 60 pentesters either from Conti's "Old Guard" or recruited from various elite ransomware groups. Operating in small teams of 4-5 individuals, they remain loyal to their leaders: the Admin and Chief Engineer. The group employs #Royal and #BlackSuit lockers, with #Emotet and #IcedID as precursors. They prioritize alternatives to #CobaltStrike, particularly #Sliver, and develop custom precursor loaders." said Bohuslavskiy. When Conti had disbanded it was assessed the group would break down and operate in smaller cells. Bohuslavskiy shares a breakdown of the subgroups within Royal, with groups including Zeon, the Silent Ransom Group, and the BlackBasta conglomerate which comprises of BlackByte and Karakurt. There's potential that a subgroup will launch using the BlackSuit encryptor. The BlackBasta conglomerate is reported to be operating under a tight hierarchical model described as an “authoritarian” model with a “centralized chain of command.” Allied groups were listed which include BlackCat/ALPHV, AvosLocker, HelloKitty, and FiveHands affiliates.