virus logo Threat Actor

Royal Ransomware

Description

Royal is a ransomware group that has been around since at least the beginning of 2022. The group has been observed deploying not only the Windows and Linux versions of Royal ransomware in victim environments, but also Zeon, a likely predecessor to Royal, and Blackcat ransomware for file encryption. The threat actor has shown no remorse for attacking healthcare services, prompting the Health Sector Cybersecurity Coordination Center (HC3) to issue an advisory on Royal ransomware.

Royal ransomware was rebranded to BlackSuit ransomware in mid-2023, potentially to shake off scrutiny and refresh their image.

Royal has been affiliated with Dev-0569.

Aliases

  • BlackSuit
  • Royal Ransomware Operators
  • Zeon

Targeted Industries

  • Agriculture
  • Business Services
  • Construction
  • Consumer Services
  • Critical InfrastructuresEducation
  • Finance
  • Government
  • Healthcare Services
  • Hospitality
  • Hospitals & Physicians Clinics
  • Insurance
  • Law Firms & Legal Services
  • Manufacturing
  • Media & Internet
  • Minerals & Mining
  • Non-Profit & Charitable Organizations
  • Real Estate
  • Retail
  • Software
  • Transportation

Objectives

Financial gain

Known Tools Used

  • AdFind
  • Advanced Port Scanner
  • AnyDesk
  • AV tamper
  • Chisel
  • Cobalt Strike
  • Connectwise
  • Exfil
  • GMER
  • NetScan
  • NirCmd
  • NSudo
  • PCHunter
  • PowerShell Toolkit Downloader
  • PowerTool
  • Process Hacker
  • PsExec
  • QakBot
  • Rclone
  • RDPEnable
  • Splashtop
  • Syncro
  • Transportation
  • Ursnif/Gozi
  • Don't Sleep
  • Vidar

Known Infection Vectors

  • BATLOADER
  • Exploiting public-facing applications
  • Initial access brokers
  • IcedID
  • Malvertising
  • Phishing emails
  • Qakbot
  • RDP compromise

References

Ransomware Roundup Royal (Fortinet)
https://www.fortinet.com/blog/threat-research/ransomware-roundup-royal-ransomware

Royal Ransomware Targets Linux ESXi Servers (Fortinet)
https://www.fortinet.com/blog/threat-research/royal-ransomware-targets-linux-esxi-servers

#StopRansomware: Blacksuit (Royal) Ransomware (CISA)
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a

Royal & BlackCatRansomware: The Threat to the Health Sector (Health Sector Cybersecurity Coordination Center)
https://www.hhs.gov/sites/default/files/royal-blackcat-ransomware-tlpclear.pdf

Royal Ransomware

ID

5547

Published

Apr 01, 2026

Threat Actor Type

Ransomware-as-a-Service (RaaS)

Attacker Origins

  • Unknown

Target Systems

  • ESXi
  • Linux
  • Windows

Regions Targeted

  • Eastern Europe
  • North America
  • Northern Europe
  • Oceania
  • South America
  • South Asia
  • Southeast Asia
  • Western Europe

Active CVEs