US says Royal ransomware gang plans ‘Blacksuit’ rebrand
The U.S. government says Royal, one of the most active ransomware gangs in recent years, is preparing to rebrand or spinoff with a new name, Blacksuit.
In an update this week to a previously published joint advisory about the Royal ransomware gang, the FBI and U.S. cybersecurity agency CISA said that the Blacksuit ransomware variant “shares a number of identified coding characteristics similar to Royal,” confirming earlier findings by security researchers linking the two ransomware operations.
“There are indications that Royal may be preparing for a rebranding effort and/or a spinoff variant,” the government’s updated advisory reads.
CISA did not say why it released the new guidance linking the two ransomware operations, and a spokesperson did not immediately comment when reached by TechCrunch.
Royal is a prolific ransomware gang accused of hacking over 350 known victims worldwide with ransom demands exceeding $275 million. CISA and the FBI previously warned that Royal was targeting critical infrastructure sectors across the United States, including manufacturing, communications and healthcare organizations. The city of Dallas in Texas recently recovered from a ransomware attack it later attributed to Royal.
It’s not uncommon for ransomware gangs to create different ransomware variants, go quiet for long periods of time, or spin-off and splinter into entirely new groups, often in an effort to evade detection or arrest by law enforcement. But recently imposed sanctions by the U.S and U.K. governments are likely hampering the gang’s money-making efforts as victims refuse to pay the hackers’ ransoms for fear of violating strict U.S. sanctions laws.
The Conti connection
Security researchers previously found that Royal comprises ransomware actors from previous operations, including Conti, a prolific Russia-linked hacking group that disbanded in May 2022, shortly after a massive leak of the gang’s internal communications sparked by the gang sided with Russia in its unprovoked invasion of Ukraine.
After disbanding, Conti reportedly splintered into different gangs, some of whom formed the Royal ransomware gang months later. Royal soon began targeting hospitals and healthcare organizations and by…
