| This updated Joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources. |
| The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are re-releasing this Joint Cybersecurity Advisory to add new TTPs, IOCs, and information related to Royal Ransomware activity. |
| Since September 2022, Royal has targeted over 350 known victims worldwide and ransomware demands have exceeded 275 million USD. Royal conducts data exfiltration and extortion prior to encryption and then publishes victim data to a leak site if a ransom is not paid. Phishing emails are among the most successful vectors for initial access by Royal threat actors. There are indications that Royal may be preparing for a re-branding effort and/or a spinoff variant. Blacksuit ransomware shares a number of identified coding characteristics similar to Royal. A previous Joint Cybersecurity Advisory for Royal ransomware was published on March 2, 2023. This joint advisory provides updated IOCs identified through FBI investigations. |
| FBI and CISA encourage organizations to implement the recommendations in the mitigations section of this Joint Cybersecurity Advisory to reduce the likelihood and impact of ransomware incidents. |