US says Royal ransomware gang plans 'Blacksuit' rebrand

Zack Whittaker
Updated ·3 min read

The U.S. government says Royal, one of the most active ransomware gangs in recent years, is preparing to rebrand or spin off with a new name, Blacksuit.

In an update this week to a previously published joint advisory about the Royal ransomware gang, the FBI and U.S. cybersecurity agency CISA said that the Blacksuit ransomware variant "shares a number of identified coding characteristics similar to Royal," confirming earlier findings by security researchers linking the two ransomware operations.

"There are indications that Royal may be preparing for a rebranding effort and/or a spinoff variant," the government's updated advisory reads.

CISA did not say why it released the new guidance linking the two ransomware operations, and a spokesperson did not immediately comment when reached by TechCrunch.

Royal is a prolific ransomware gang accused of hacking ,ore than 350 known victims worldwide with ransom demands exceeding $275 million. CISA and the FBI previously warned that Royal was targeting critical infrastructure sectors across the United States, including manufacturing, communications and healthcare organizations. The city of Dallas in Texas recently recovered from a ransomware attack it later attributed to Royal.

It's not uncommon for ransomware gangs to create different ransomware variants, go quiet for long periods of time, or spin off and splinter into entirely new groups, often in an effort to evade detection or arrest by law enforcement. But recently imposed sanctions by the U.S and U.K. governments are likely hampering the gang's money-making efforts as victims refuse to pay the hackers' ransoms for fear of violating strict U.S. sanctions laws.

The Conti connection

Security researchers previously found that Royal comprises ransomware actors from previous operations, including Conti, a prolific Russia-linked hacking group that disbanded in May 2022, shortly after a massive leak of the gang's internal communications sparked by the gang sided with Russia in its unprovoked invasion of Ukraine.

After disbanding, Conti reportedly splintered into different gangs, some of whom formed the Royal ransomware gang months later. Royal soon began targeting hospitals and healthcare organizations and by 2023 became one of the most prolific ransomware gangs.

In September 2023, the U.S. and U.K. governments imposed joint sanctions against 11 accused members of the since-defunct Conti ransomware gang. Even though the Conti gang members had moved on to new ransomware operations, the U.K. National Crime Agency said at the time that paying a ransom demand to these individuals "is prohibited under these sanctions."

Government sanctions are often imposed against individuals who are out of reach of arrest of U.S. law enforcement, such as those based in Russia, which typically does not deport its citizens. Sanctions make it difficult for criminals to profit from ransomware by effectively banning victims from paying a sanctioned individual or entity. Sanctions are often aimed at individuals rather than the operations themselves, in part because criminal groups would rename or rebrand to skirt the sanctions.

Allan Liska, threat intelligence analyst at Recorded Future, told TechCrunch that even a tacit link to a sanctioned individual could fall foul of sanctions laws.

"Several members of the team behind Royal ransomware are ex-Conti, so it is possible that firms in the know started refusing to pay Royal after the sanctions were laid down," said Liska. "More importantly it is enough to spook the ransomware negotiators, incident response firms and insurance companies that support victims."

Ransomware gangs typically publish portions of a victim's stolen data to their leak sites in an attempt to extort the victim into paying a ransom. Ransomware gangs may remove a victim's data once a victim enters negotiations or pays the ransom. It's not uncommon for victim organizations to rely on third-party companies, such as law firms and cyber-insurance companies, to negotiate with the hackers or make ransom payments on their behalf.

The FBI has long advised victims not to pay a hacker's ransom as this encourages further cyberattacks.

Do government sanctions against ransomware groups work?