Full Report
The U.S. Department of Homeland Security (DHS) says the cybercrime gang behind the Royal and BlackSuit ransomware operations had breached hundreds of U.S. companies before their infrastructure was dismantled last month. [...]
Analysis Summary
# Incident Report: Royal and BlackSuit Ransomware Campaign
## Executive Summary
This report summarizes a widespread cyber campaign involving the Royal and BlackSuit ransomware operations, which together compromised over 450 US companies. The groups utilized similar tactics, techniques, and procedures (TTPs), with evidence suggesting BlackSuit is a rebranding of the earlier Royal ransomware operation. The impact involves significant financial demands and data extortion, prompting joint advisories from the FBI and CISA, and leading to the suspected rebranding to 'Chaos' ransomware to evade ongoing tracking.
## Incident Details
- **Discovery Date:** Implied ongoing, with FBI/CISA advisory in November 2023 referencing Royal activity since September 2022.
- **Incident Date:** Ongoing campaign since at least September 2022 (Royal activity).
- **Affected Organization:** Over 450 US companies (Reported scope).
- **Sector:** Not explicitly specified, but impacting various US businesses.
- **Geography:** United States (Primary focus of the article).
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing since September 2022 (for Royal). Specific initial access vectors for the aggregated 450+ victims are not detailed but are implied to leverage known pathways leading to ransomware deployment.
- **Vector:** For the suspected successor ('Chaos'), voice-based social engineering is explicitly mentioned.
- **Details:** Tactics include double extortion attacks.
### Lateral Movement
- **Details:** Use of Living Off The Land binaries (LOLbins) and Remote Monitoring and Management (RMM) tools are noted similarities linking the successor group to the prior TTPs.
### Data Exfiltration/Impact
- **Details:** Attacks employed double extortion (encryption plus data theft). The Royal campaign resulted in over \$275 million in ransom demands, and BlackSuit later demanded over \$500 million.
### Detection & Response
- **Detection:** Detected through investigation and intelligence gathering leading to joint advisories.
- **Response Actions:** CISA and the FBI issued joint advisories (November 2023 for Royal; August 2024 for BlackSuit) consolidating intelligence on the groups' activities.
## Attack Methodology
- **Initial Access:** Voice-based social engineering (mentioned for the potential 'Chaos' rebranding).
- **Persistence:** Not explicitly detailed, but implied via RMM tool usage.
- **Privilege Escalation:** Not explicitly detailed.
- **Defense Evasion:** Not explicitly detailed.
- **Credential Access:** Not explicitly detailed.
- **Discovery:** Use of LOLbins suggests internal network reconnaissance/discovery.
- **Lateral Movement:** Use of RMM tools.
- **Collection:** Implied data collection due to double extortion model.
- **Exfiltration:** Implied data exfiltration as part of double extortion.
- **Impact:** Encryption of systems and data theft/extortion.
## Impact Assessment
- **Financial:** Royal demanded over \$275 million (cumulative); BlackSuit demanded over \$500 million (cumulative).
- **Data Breach:** Data theft occurred as part of double extortion. Specific volume/type not specified.
- **Operational:** Disruptions likely occurred due to ransomware deployment (encryption).
- **Reputational:** Not detailed, but significant impact from targeting 450+ companies.
## Indicators of Compromise
The article focuses on historical tactics rather than specific current IoCs, but historical shared TTPs include:
- **Behavioral indicators:** Use of shared encryption commands, ransom note themes/structure, use of LOLbins, and RMM tools connecting Royal/BlackSuit/Chaos.
## Response Actions
- **Containment measures:** Not detailed, beyond official advisories issued to stop further compromise.
- **Eradication steps:** Not detailed.
- **Recovery actions:** Not detailed.
## Lessons Learned
- Ransomware groups frequently rebrand (Royal $\rightarrow$ BlackSuit $\rightarrow$ Chaos) to evade tracking and maintain operational continuity after infrastructure disruption.
- Double extortion remains a highly profitable model, leading to massive cumulative ransom demands (\$500M+).
- Law enforcement and intelligence agencies (FBI/CISA) actively track and correlate activity across different ransomware branding efforts.
## Recommendations
- Organizations should enhance defenses against social engineering, particularly voice-based vectors, if applicable to the sector.
- Implement strong controls and monitoring to detect the unusual use of LOBins and RMM tools by unauthorized processes for lateral movement.
- Maintain heightened vigilance for indicators related to known evolving ransomware families like Royal/BlackSuit/Chaos.