The Royal ransomware group has been identified as a significant threat, targeting over 350 global victims since September 2022 [1] [2] [4]. This joint advisory by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) sheds light on their activities and provides valuable information for organizations to protect themselves.


According to the advisory, the Royal ransomware group has demanded more than $275 million in ransom payments from their victims. They have been active in their attacks, with a particular focus on phishing emails as their primary method of gaining initial access. The group has also been observed using legitimate software and open source tools during their operations [2].

It is believed that the Royal gang may be planning to rebrand or split into two separate threat groups. They have connections to another ransomware gang called BlackSuit [4], indicating a network of criminal activity. The group is mainly composed of former members of the Conti ransomware group.

The Royal gang’s attacks have had significant impacts, including the theft of over 1.1 TB of data from the City of Dallas. If the ransom is not paid [3] [4], the group publishes the victim’s data on a leak site [4], further exacerbating the consequences for the victims.

The healthcare [2], manufacturing [2], and education sectors have been among the most frequently targeted by the Royal gang. Their ransom demands range from $1 million to $11 million in bitcoin [2], and victims are required to interact with the threat actor via a onion URL after encryption [2].


The Royal ransomware group poses a serious threat to organizations worldwide. It is crucial for Chief Information Security Officers (CISOs) to stay informed about their tactics, techniques [3], and procedures [3]. User awareness training is essential to combat the ongoing threat of Royal, regardless of any rebranding efforts [3].

Mitigations should include strengthening email security measures to prevent phishing attacks, implementing robust network security protocols, and regularly updating and patching software to minimize vulnerabilities. Collaboration between law enforcement agencies and cybersecurity professionals is vital to disrupt and dismantle these criminal networks.

As the Royal gang continues to evolve and potentially rebrand, organizations must remain vigilant and proactive in their cybersecurity measures. By staying informed and implementing effective security strategies, organizations can better protect themselves against the ongoing threat of ransomware attacks.