In a post issued on Tuesday, Unit 42 says that based on Royal Ransomware leak site, the group has been responsible for affecting 157 institutions since its start last year.
The ransomware group brands itself as one of the best in the cybercriminals world. This is largely thanks to its member’s strength.
Palo Alto Networks’ Unit acquired a README.txt ransom note dropped on one of Royal’s victims, which provides a clear illustration of the group’s dominance.
Interestingly, Royal has become increasingly active this year, utilizing a great span of tools as it aggressively targets essential infrastructure organizations.
Royal Ransomware Latest Spree
Reportedly, the group boasted it breached 14 manufacturing organizations. It also affirmed that it has further targeted 26 manufacturing institutions so far this year. Agreeably, the U.S. Department of Health and Human Services issued a warning in January about the threat its ransomware posed to the healthcare sector.
Furthermore, it repeated seven invasions against local government entities in the U.S. and Europe, including its recent attack on the city of Dallas, and 14 establishments in the education sector, along with school districts and universities.
Unit 42 warns that most of Royal’s victims (64%) are in the U.S., with Canadian institutions being its second most favored victim (9%). The scope of Royal’s onslaughts to date demonstrates the possibility for broader and more intense effects.
Operatives with years of experience
In September 2022, Royal was first spotted breaching systems and using multi-extortion to coerce victims. It seems linked to a prior ransomware family named Zeon that emerged nine months earlier.
Nonetheless, Unit 42 researchers say it’s plausible Royal’s members are former operatives of the Conti ransomware group. The researchers added that some of the crew behind this threat were part of the development of Ryuk, the predecessor of Conti, and they have many years of experience.
Moreover, it is known that Royal demands ransoms of up to $25 million in bitcoin, and the group leverages its leak site to publicly extort victims into paying up.
