The U.S. government has stated that Royal, one of the most active ransomware gangs in recent years, is preparing to rebrand or spin off with a new name, Blacksuit.
In an update this week to a previously published joint advisory about the Royal ransomware gang, the FBI and U.S. cybersecurity agency CISA announced that the Blacksuit ransomware variant “shares a number of identified coding characteristics similar to Royal,” confirming previous findings by security researchers linking the two ransomware operations.
According to the updated advisory from the government, “There are indications that Royal may be preparing for a rebranding effort and/or a spinoff variant.”
CISA did not disclose the reason for issuing the new guidance connecting the two ransomware operations, and a spokesperson did not immediately comment when reached by TechCrunch.
Royal is a prolific ransomware gang accused of hacking more than 350 known victims worldwide with ransom demands exceeding $275 million. CISA and the FBI had previously warned that Royal was targeting critical infrastructure sectors across the United States, including manufacturing, communications, and healthcare organizations. The city of Dallas in Texas recently recovered from a ransomware attack it later attributed to Royal.
It’s not uncommon for ransomware gangs to create different ransomware variants, go quiet for long periods of time, or spin off and splinter into entirely new groups, often in an effort to evade detection or arrest by law enforcement. However, the gang’s money-making efforts are likely being hindered by recently imposed sanctions by the U.S and U.K. governments, as victims refuse to pay the hackers’ ransoms for fear of violating strict U.S. sanctions laws.
The Conti connection
Security researchers previously found that Royal comprises ransomware actors from previous operations, including Conti, a prolific Russia-linked hacking group that disbanded in May 2022, shortly after a massive leak of the gang’s internal communications sparked by the gang siding with Russia in its unprovoked invasion of Ukraine.
After disbanding, Conti reportedly splintered into different gangs, some of whom formed the Royal ransomware gang months later. Royal soon began targeting hospitals and healthcare organizations and by 2023 became one of the most prolific ransomware gangs.
In September 2023, the U.S. and U.K. governments imposed joint sanctions against 11 accused members of the since-defunct Conti ransomware gang. Even though the Conti gang members had moved on to new ransomware operations, the U.K. National Crime Agency said at the time that paying a ransom demand to these individuals “is prohibited under these sanctions.”
Government sanctions are often imposed against individuals who are out of reach of arrest of U.S. law enforcement, such as those based in Russia, which typically does not deport its citizens. Sanctions make it difficult for criminals to profit from ransomware by effectively banning victims from paying a sanctioned individual or entity. Sanctions are often aimed at individuals rather than the operations themselves, in part because criminal groups would rename or rebrand to skirt the sanctions.
Allan Liska, threat intelligence analyst at Recorded Future, told TechCrunch that even a tacit link to a sanctioned individual could fall foul of sanctions laws.
“Several members of the team behind Royal ransomware are ex-Conti, so it is possible that firms in the know started refusing to pay Royal after the sanctions were laid down,” said Liska. “More importantly it is enough to spook the ransomware negotiators, incident response firms and insurance companies that support victims.”
Ransomware gangs typically publish portions of a victim’s stolen data to their leak sites in an attempt to extort the victim into paying a ransom. Ransomware gangs may remove a victim’s data once a victim enters negotiations or pays the ransom. It’s not uncommon for victim organizations to rely on third-party companies, such as law firms and cyber-insurance companies, to negotiate with the hackers or make ransom payments on their behalf.
The FBI has long advised victims not to pay a hacker’s ransom as this encourages further cyberattacks.