Royal Ransomware [A Review Playbook]
Table of contents
Royal ransomware hit 350 organizations in under a year, cost the City of Dallas $8.5 million to recover from, and rebranded twice to stay ahead of law enforcement. Here is how the group operated, who it targeted, and what their rebranding means for cyber professionals in 2026.
A Conti splinter group with a new name and the same playbook
Royal ransomware appeared in September 2022 and within weeks had already been linked to former members of the Conti group. The connection was not subtle. Ransom notes carried Conti-like structure. The callback phishing technique was a Conti signature. Researchers at Trend Micro and Microsoft traced the lineage with high confidence within the first month of Royal’s activity.
What made Royal different from most ransomware groups of its era was its structure. Royal did not recruit affiliates or operate a Ransomware-as-a-Service (RaaS) platform. It was a closed, private team. That gave it tighter operational security, consistent tradecraft, and an attack pattern that was harder to attribute and harder to disrupt by targeting the affiliate layer.
This guide covers how Royal gained access, how it moved through victim networks, its most significant attacks, the technical details that made it distinctive, how it became BlackSuit, and what security teams can do about it.
Zeon, then Royal: tracing the Conti lineage
Conti dissolved in May 2022 after an internal leak exposed its member communications and its public support for Russia’s invasion of Ukraine made it a liability. Its members did not retire. Within weeks, researchers were tracking former Conti operators moving into new groups.
One faction operated briefly as Zeon in early 2022, using a BlackCat-based encryptor in its earliest campaigns. By September 2022, the group had developed its own custom encryptor and rebranded to Royal, naming itself explicitly in ransom notes for the first time.
Microsoft tracked Royal’s delivery infrastructure under the designation DEV-0569, using malvertising through Google Ads, fake software installer pages, and abuse of contact forms on target websites to distribute BATLOADER, a malware downloader that staged Cobalt Strike Beacon as a precursor to ransomware deployment.
Royal ran as a closed private group with no known affiliates. This is rare in a market where RaaS dominates. Less scale, more control. Every attack used the same vetted team and consistent tools.
How a Royal attack works, phase by phase
Royal attacks followed a patient, methodical pattern. The group prioritized dwell time over speed. The City of Dallas breach went undetected for 27 days before ransomware deployed. That window was not wasted.
Phase 1: Getting in
Phishing was Royal’s primary entry point, accounting for 66.7% of confirmed initial access incidents according to CISA. The group used two distinct phishing variants.
Standard phishing: malicious PDF attachments and links pointing to BATLOADER, disguised as software installers for common enterprise tools including Zoom, TeamViewer, and AnyDesk.
Callback phishing: the victim receives an email that looks like a subscription renewal notice from a recognizable brand. The email contains no malicious link or attachment. It provides a phone number to call and cancel the charge. When the victim calls, a Royal operator poses as support staff and social-engineers them into installing remote access software. That software is the foothold. This technique bypasses most email security filters entirely because there is nothing to scan.
Beyond phishing, Royal also used Remote Desktop Protocol (RDP) compromise in 13.3% of incidents and exploited vulnerabilities in public-facing applications. The group also purchased VPN credentials from initial access brokers operating on criminal forums.
Phase 2: Staying hidden
Once inside, Royal used legitimate remote monitoring and management (RMM) tools to maintain persistence: AnyDesk, LogMeIn, and Atera. These tools are present on many enterprise networks by design, which makes them difficult to flag.
For command and control (C2) communication, Royal used Chisel, an open-source tunneling tool that routes traffic over HTTP secured via SSH. This made Royal’s C2 traffic look like routine web activity to network monitors.
The Dallas investigation found that Royal gained initial access on April 7, 2023. Ransomware deployed on May 3. During those 27 days, the group mapped the network, staged exfiltration, and identified every system it planned to encrypt. This extended pre-encryption period is a defining feature of silent ransomware attacks, where the real damage happens long before any ransom note appears.
Phase 3: Disabling defenses
Before deploying ransomware, Royal actors systematically removed antivirus software using legitimate diagnostic tools: PC Hunter, Process Hacker, GMER, and PowerTool. None of these are inherently malicious. All are commonly used by IT administrators. Using them as cover for disabling endpoint protection is a textbook living-off-the-land technique.
Phase 4: Exfiltrating data
Royal stole data before encrypting it. This gave them two forms of leverage: pay for decryption keys, or your data gets published. In Dallas, Royal exfiltrated approximately 1.169 terabytes across all 40+ city departments before the encryption event. That data included personnel records, Social Security numbers, court documents, medical information, and government files.
Phase 5: Encrypting and erasing recovery options
Royal’s encryptor had a technically distinctive feature: partial encryption. Rather than encrypting entire files, operators could configure what percentage of each file to encrypt. For large files, a lower encryption percentage sped up the process and reduced the chance of triggering pattern-based detection, since partially encrypted files can pass some security tool checks.
Encrypted files received the .royal extension (later .royal_u in updated variants). Shadow copies were deleted via vssadmin.exe. Application, System, and Security event logs were wiped. The ransom note, README.TXT, did not include a ransom amount or payment instructions. It directed victims to a Tor .onion URL to begin negotiations directly with the group.
Three era defining attacks led by the gang
Royal gained access to Dallas city systems on April 7, 2023, using stolen service account credentials. For 27 days, the group moved through the network undetected, mapping systems and exfiltrating 1.169 terabytes of data before ransomware deployed on May 3. Court systems closed, police communications went down, fire station alerts failed, and 40+ city departments were affected. Recovery took until June 13, with the City Council approving $8.5 million for remediation. Personal data for 30,253 people, primarily city employees, was exposed. Dallas published a full after-action report in September 2023, one of the most detailed public post-incident analyses any ransomware victim has released.
Dallas by the numbers
- 27 days of undetected access
- 1.169 TB exfiltrated
- 40+ city departments affected
- 39,590 staff hours spent on recovery
- $8.5 million approved for remediation
- Personal data of 30,253 people exposed
Silverstone Circuit, November 2022
In November 2022, Royal posted the Silverstone Formula One circuit to its data leak site. The attack was notable for demonstrating that Royal was willing to target high-visibility brand-name organizations from its early months, not just healthcare or government sectors.
Octapharma, April 2024 [Under the name Blacksuit]
Under the BlackSuit rebrand, the same group attacked OctaPharma, a major blood plasma provider, by exploiting a VMware vulnerability. The attack forced the closure of more than 190 plasma donation centers across 35 U.S. states. Plasma supply to hospitals in both the U.S. and EU was disrupted. Donor personal data including protected health information (PHI) was stolen. The attack illustrated the real-world physical consequences that follow when ransomware hits healthcare supply chains.
Royal ransomware TTPs mapped to MITRE ATT&CK
| Tactic | Technique | Tool / Method |
|---|---|---|
| Initial Access | Phishing (T1566) | Callback phishing, malvertising, BATLOADER |
| Initial Access | Remote Services: RDP (T1021.001) | RDP brute force or credential theft |
| Persistence | Remote Access Software (T1219) | AnyDesk, LogMeIn, Atera |
| Defense Evasion | Impair Defenses (T1562) | PC Hunter, Process Hacker, GMER, PowerTool |
| Lateral Movement | Remote Services (T1021) | RDP, PsExec, SMB |
| Command & Control | Protocol Tunneling (T1572) | Chisel over HTTP/SSH, Cobalt Strike Beacon |
| Exfiltration | Exfiltration Over C2 Channel (T1041) | Large-volume data staging before encryption |
| Impact | Data Encrypted for Impact (T1486) | Partial encryption, .royal / .royal_u |
| Impact | Inhibit System Recovery (T1490) | vssadmin.exe shadow copy deletion, log wiping |
Royal rebrands as Blacksuit
In May 2023, the same month as the Dallas attack, Royal began testing a new encryptor internally. By June 2023, researchers had BlackSuit samples in the wild. Trend Micro described the two strains as nearly identical in their code. Royal attacks stopped. BlackSuit attacks started.
The FBI and CISA formally confirmed the link in August 2024, updating their joint advisory to reflect the rebrand. BlackSuit brought concrete technical improvements: more granular partial encryption with the ability to specify target directories, additional exfiltration tooling including RClone and Brute Ratel, ransom demands typically between $1 million and $10 million, and direct pressure campaigns via phone calls and emails to victims during negotiations.
By the time of its takedown, BlackSuit had demanded over $500 million in total ransoms. The largest single demand reached $60 million.
On July 24, 2025, Operation Checkmate seized BlackSuit’s dark web data leak site and private negotiation panels. Seventeen agencies across nine countries participated: U.S. Department of Justice, Homeland Security Investigations, the Dutch National Police, the UK National Crime Agency, the German Federal Criminal Police, and others. Cisco Talos assessed with moderate confidence that some BlackSuit members subsequently regrouped under a new brand called Chaos ransomware, based on shared TTPs, encryption commands, and ransom note structure.
F.A.Q’s
Royal as a brand stopped operating in mid-2023 when it rebranded to BlackSuit. BlackSuit’s infrastructure was seized in July 2025 during Operation Checkmate. Cisco Talos assessed with moderate confidence that some operators subsequently reformed as Chaos ransomware. The TTPs Royal pioneered remain active regardless of the brand name in use.
Royal used partial encryption: operators could configure what percentage of each file to encrypt. For large files, a lower percentage sped up execution and reduced detection risk, since partially encrypted files can pass pattern-based security checks. This was a technical differentiator that made Royal harder to catch mid-execution.
Royal required victims to contact negotiators via a Tor .onion URL to receive a ransom figure. This gave the group flexibility to adjust demands based on the victim’s perceived ability to pay, and it prevented victims from making a quick public disclosure of the amount before negotiations concluded.
Royal attacked healthcare, government, manufacturing, communications, education, and critical infrastructure. CISA confirmed attacks across all of these sectors. The group explicitly avoided targeting organizations in former Soviet Commonwealth of Independent States (CIS) countries, consistent with its believed Russian membership.
The FBI, CISA, and CybelAngel advise against payment. Paying does not guarantee data deletion or working decryption keys. It funds future attacks. Organizations that experience an attack should prioritize containment, preserve evidence, notify law enforcement via the FBI’s Internet Crime Complaint Center (IC3), and activate pre-prepared incident response plans.
BlackSuit is the same group with technical improvements. The FBI and CISA confirmed this in August 2024 based on code similarity between the two encryptors. BlackSuit added more granular partial encryption, RClone and Brute Ratel for exfiltration, higher ransom demands, and direct victim contact via phone and email to pressure payment. The underlying team, access methods, and attack philosophy carried over unchanged.
CISA and the FBI published IOCs including file hashes, IP addresses, and behavioral indicators in their March 2023 advisory (AA23-061A) and updated them in November 2023 and August 2024. The full advisory is available at cisa.gov/news-events/cybersecurity-advisories/aa23-061a. Royal-encrypted files carry the .royal or .royal_u extension with a README.TXT ransom note.
Wrapping up
Royal ran for less than a year as a named group. It still demanded over $275 million from 350 organizations, cost one American city $8.5 million and 39,590 staff hours in recovery, disrupted plasma supply to hospitals in two countries, and then rebranded with better tools and kept going.
The attack chain is documented. The initial access techniques are known. The lateral movement tools are on every enterprise network by design. The gap between organizations that have closed these exposures and those that have not is where the next attack will happen.
CybelAngel scans for your exposed credentials, monitors ransomware leak sites for your organization’s data, and identifies the external exposures attackers use to get in. Talk to an analyst to see what is currently visible from outside your perimeter.
About the author
