royal

Royal

also known as: Zeon DEV-0569 Storm-0569 Royal Ransomware Group LockerRoyal

Royal is a private ransomware group composed of former Conti operators that rapidly became one of the most prolific ransomware threats in late 2022. Known for targeting critical infrastructure — including healthcare, government, and manufacturing — with double extortion tactics, Royal rebranded as BlackSuit in mid-2023 and was ultimately disrupted by international law enforcement in July 2025.

attributed origin Russia / Eastern Europe

suspected sponsor Cybercriminal (Conti Successor)

first observed January 2022 (as Zeon)

primary motivation Financial / Extortion

primary targets Healthcare, Government, Manufacturing, IT, Finance

known campaigns 450+ confirmed victims (combined Royal/BlackSuit)

mitre att&ck software S1073

target regions North America, Europe, Oceania, South America, South Asia

threat level HIGH (defunct but successor active)

Overview

Royal is a financially motivated ransomware group that first appeared in January 2022 under the name Zeon. The group rebranded to Royal in September 2022 and quickly became one of the most prolific ransomware operations in the threat landscape, ranking behind only LockBit and BlackCat by the end of that year. Royal is composed of experienced operators believed to be former members of the now-disbanded Conti ransomware syndicate, which itself had ties to the TrickBot and Ryuk malware ecosystems.

Unlike many ransomware operations that rely on affiliate models (Ransomware-as-a-Service), Royal operated as a private, closed group with no known affiliates. The group maintained tight control over its custom encryption tools and infrastructure. Royal used a double extortion model: encrypting victim data while simultaneously exfiltrating sensitive files and threatening to publish them on a leak site if ransom demands were not met. Ransom demands ranged from $250,000 to over $2 million during the Royal era.

In mid-2023, following the high-profile attack on the City of Dallas, Royal began testing a new encryptor called BlackSuit. By late 2023, the group had fully rebranded under the BlackSuit name, likely to evade law enforcement scrutiny. Under the combined Royal and BlackSuit banners, the operation compromised more than 450 organizations and collected over $370 million in ransom payments. On July 24, 2025, international law enforcement executed Operation Checkmate, seizing BlackSuit's infrastructure, domains, and cryptocurrency assets. Authorities have since linked the group's leadership to Russian national Oleg Evgenievich Nefedov, who is now on Europol and Interpol most-wanted lists. Researchers have assessed with moderate confidence that former BlackSuit members may have regrouped under the Chaos ransomware banner.

Target Profile

Royal aggressively targeted a broad range of industries and critical infrastructure sectors. The group showed no hesitation in attacking healthcare and public safety organizations, which prompted the U.S. Department of Health and Human Services (HHS) to issue a dedicated advisory in December 2022. The United States accounted for roughly 63% of all observed Royal targeting activity, with Canada, Germany, Australia, and Brazil rounding out the top five targeted countries. The majority of victim organizations were small to mid-sized businesses, though several large enterprises and municipal governments were also hit.

Healthcare: Hospitals, medical service providers, and plasma donation centers were consistently targeted. The group compromised organizations such as Northwest Michigan Health Services and later (as BlackSuit) Octapharma Plasma, which shuttered nearly 200 donation centers.
Government & Critical Infrastructure: Municipal governments including the City of Dallas were heavily impacted. Royal also targeted chemical, communications, defense industrial base, dam, nuclear, and emergency services sectors according to CISA advisories.
Manufacturing & IT: Manufacturing and technology companies represented a large share of victims, likely due to broad attack surfaces involving specialized equipment and managed software.
Finance & Education: Financial services firms and educational institutions — including school districts — were frequently targeted, particularly after the rebrand to BlackSuit.
Automotive (via BlackSuit): The CDK Global attack in June 2024 disrupted approximately 15,000 auto dealerships across North America, causing an estimated $1 billion in collective losses.

Tactics, Techniques & Procedures

Royal employed a mature and adaptable set of TTPs drawn from the collective experience of its Conti-era operators. The group combined social engineering for initial access with living-off-the-land techniques for lateral movement and defense evasion. Key TTPs documented by CISA, FBI, and MITRE ATT&CK (Software S1073) are summarized below.

mitre id	technique	description
T1566	Phishing	Primary initial access vector. Royal used callback phishing (fake subscription renewal emails with phone numbers) and spear-phishing with malicious attachments. Victims were social-engineered into installing remote desktop software.
T1078.002	Valid Accounts: Domain Accounts	Royal leveraged stolen domain service account credentials and VPN credentials harvested from stealer logs by initial access brokers to gain persistent network access.
T1059.012	Command and Scripting Interpreter: Hypervisor CLI	Used esxcli commands to enumerate and terminate running virtual machines on ESXi hosts prior to encrypting VM disk files.
T1486	Data Encrypted for Impact	Royal's custom ransomware uses AES-256 encryption via OpenSSL with multi-threaded partial encryption. A configurable percentage parameter (-ep) allows selective encryption of file contents, speeding the process and evading detection.
T1490	Inhibit System Recovery	Deleted Volume Shadow Copies using vssadmin.exe with the command "delete shadows /all /quiet" to prevent victims from restoring encrypted files.
T1021.002	Remote Services: SMB/Windows Admin Shares	Used SMB connections, RDP, and PsExec for lateral movement across compromised networks. Batch scripts were deployed via encrypted 7zip archives to propagate the ransomware.
T1046	Network Service Discovery	Used NetScan and ADFind to enumerate network shares, connected devices, domain members, and group memberships for reconnaissance.
T1489	Service Stop	Used RmShutDown and batch scripts to kill security-related services and applications that held locks on files targeted for encryption.
T1070.001	Indicator Removal: Clear Windows Event Logs	Batch files deleted Application, System, and Security event logs after encryption to hinder forensic investigation.
T1082	System Information Discovery	Used GetNativeSystemInfo and other Windows APIs to enumerate system processors, IP addresses, and logical drives before encryption.

Known Campaigns

Royal was involved in numerous high-profile attacks across critical infrastructure sectors. The following are confirmed or highly attributed operations linked to this threat actor and its BlackSuit successor.

City of Dallas Ransomware Attack May 2023

Royal gained initial access to Dallas city systems on April 7, 2023 using stolen domain service account credentials. Over nearly a month of dwell time, the group conducted reconnaissance, deployed Cobalt Strike beacons, and exfiltrated 1.169 TB of data. On May 3, Royal began encrypting prioritized servers, crippling police communications, 911 dispatch systems, municipal courts, and public-facing websites. The city allocated $8.5 million for recovery. Personal data of over 30,000 individuals was exposed.

Silverstone Formula One Circuit Late 2022

Royal successfully attacked the Silverstone Formula One circuit and publicly announced the compromise on their leak site. The full extent of data exfiltration was not publicly disclosed.

INTRADO Telecommunications 2022

Royal claimed the compromise of INTRADO, an American telecommunications company with more than 10,000 employees. The group reported exfiltrating internal documents, passports, and employee identification records.

CDK Global Attack (as BlackSuit) June 2024

Operating under the BlackSuit rebrand, the group attacked CDK Global, a software provider serving approximately 15,000 auto dealerships across North America. The attack encrypted critical systems and caused an estimated $1 billion in collective losses to dealerships. CDK reportedly paid a $25 million Bitcoin ransom. This was the third-largest ransomware payment publicly observed at the time.

Octapharma Plasma (as BlackSuit) April 2024

BlackSuit targeted Octapharma Plasma, a blood plasma collection organization operating in over 100 countries. The attack resulted in the temporary shutdown of nearly 200 blood plasma donation centers across 35 U.S. states, achieved by targeting ESXi systems with the Linux variant of the ransomware.

Operation Checkmate — Law Enforcement Takedown July 2025

International law enforcement agencies from nine countries executed a coordinated takedown of BlackSuit infrastructure under Operation Checkmate, a Europol J-CAT initiative. Authorities seized four servers, nine domains, and over $1 million in cryptocurrency. The operation confirmed over 450 U.S. victims and $370 million in total ransom payments across the Royal and BlackSuit era. Suspected leader Oleg Evgenievich Nefedov was added to Europol and Interpol most-wanted lists.

Tools & Malware

Royal used a combination of custom ransomware payloads and widely available legitimate tools to conduct operations. The reliance on living-off-the-land binaries and open-source utilities made detection more challenging.

Royal Ransomware (S1073): Custom-built ransomware for Windows and ESXi/Linux. Uses AES-256 encryption via OpenSSL with configurable partial encryption. Appends the ".royal" extension to encrypted files and drops a README.txt ransom note directing victims to a Tor-based negotiation portal.
Zeon: The predecessor encryptor used before the group rebranded from Zeon to Royal in September 2022. Shared encryption methodologies with BlackCat.
BlackSuit Ransomware: Direct successor to Royal with nearly identical code. Emerged in May 2023 and became the group's primary encryptor after the rebrand. Extended capabilities and improved encryption speed.
Cobalt Strike: Used extensively as a post-exploitation framework for command-and-control, lateral movement, and payload delivery. Beacons were frequently deployed across victim networks during the dwell period.
BATLOADER: Initial access malware spread through SEO poisoning and malicious Google Ads. Disguised as legitimate software downloads (such as Zoom or Microsoft Teams), it served as a dropper for Cobalt Strike beacons.
QakBot: Banking trojan repurposed as a delivery mechanism for Royal ransomware payloads in certain campaigns.
NetScan: Legitimate open-source network discovery tool used for enumerating network shares, connected devices, and mapping target environments.
ADFind: Active Directory enumeration tool used to identify domain members, group memberships, and organizational structure.
PsExec: Microsoft Sysinternals tool used for lateral movement and remote execution of ransomware binaries across networked hosts.
PowerTool / Process Hacker / GMER / NSudo: Kernel-level utilities used to disable or uninstall endpoint protection software before ransomware deployment.
Chisel / PuTTY / OpenSSH / MobaXterm: Tunneling and remote access tools used to maintain communication with command-and-control infrastructure.
MegaCMD / SharpExfiltrate: Tools used for staging and exfiltrating victim data prior to encryption.

Indicators of Compromise

Select publicly available IOCs from FBI and CISA joint advisory AA23-061A. The full advisory contains extensive IOC tables (Tables 1-15) spanning both the Royal and BlackSuit eras. Verify currency before operational use.

warning

Many Royal/BlackSuit IOCs date back to 2022-2024 and may be stale or repurposed for legitimate use. FBI and CISA recommend vetting all IP addresses before taking blocking action. Always cross-reference with live threat intel feeds.

sample indicators of compromise (Royal era — see CISA AA23-061A for full list)

hash (sha256) b8c4aec31c134adbdbe8e9f056a063e80e141ab2f4a3bfad0a6af8bb7e6afbf4

file ext .royal (encrypted file extension)

ransom note README.TXT (dropped in each affected directory)

tool Cobalt Strike beacons, PsExec service (PSEXESVC), batch files in encrypted 7zip archives

staging paths Root C:\ directory, common temp directories

tor portal .onion URL provided in ransom note for negotiation (varies per victim)

Mitigation & Defense

Recommended defensive measures based on CISA, FBI, and industry guidance for organizations that may fall within this actor's target profile. While Royal is defunct, the same operators continue under successor brands and employ identical techniques.

Phishing Defenses: Implement advanced email filtering, DMARC/DKIM/SPF, and user awareness training focused on callback phishing schemes. Royal's primary initial access vector was social engineering via fake subscription renewal emails.
Credential Hygiene: Enforce multi-factor authentication on all accounts, especially domain admin and VPN accounts. Royal frequently used stolen credentials and stealer log data from initial access brokers.
Network Segmentation: Segment networks to limit lateral movement. Royal relied heavily on SMB, RDP, and PsExec to traverse flat networks. Microsegmentation can contain an intrusion to the initial compromised segment.
Endpoint Detection and Response (EDR): Deploy and maintain EDR solutions with tamper protection. Royal operators used kernel-level tools (PowerTool, Process Hacker, GMER) to disable or uninstall security software before encryption.
Backup and Recovery: Maintain offline, immutable backups. Royal deleted Volume Shadow Copies and event logs to inhibit recovery. Regularly test backup restoration procedures in isolation.
Monitoring for Cobalt Strike: Configure alerts for Cobalt Strike beacon activity, unusual PsExec service installations (event IDs 7045/7036), and anomalous lateral movement patterns.
Patch Management: Keep all internet-facing devices and ESXi servers patched. Royal expanded its arsenal to include a Linux variant targeting ESXi environments, which can devastate virtualized data centers.
Zero Trust Architecture: Adopt a Zero Trust approach requiring authentication for every request and strictly limiting access privileges to reduce the blast radius of a compromised account.

note

Although Royal's infrastructure was seized in July 2025 under Operation Checkmate, researchers assess with moderate confidence that former members have regrouped under the Chaos ransomware banner. Organizations should continue monitoring for TTPs consistent with Royal/BlackSuit operations, as the threat actors remain at large. The full CISA advisory (AA23-061A) contains extensive IOC tables, YARA rules, and detection signatures for both Royal and BlackSuit activity.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile