Royal
activeAlso known as: Royal Ransomware, BlackSuit
Royal ransomware is operated by experienced threat actors, potentially former Conti members. They use callback phishing and target critical infrastructure.
First Seen
2022-09
Last Activity
2025-01
Target Regions
2 regions
Industries
4 sectors
HealthcareEducationManufacturingGovernment
Attack Chain (MITRE ATT&CK)
Visual representation of the attack phases and techniques used by Royal
Click on a phase to view details and MITRE ATT&CK technique IDs
Tactics & Techniques
MITRE ATT&CK mapped tactics and techniques used by this threat actor
| Technique ID | Name | Tactic | Description | Reference |
|---|---|---|---|---|
| T1566 | Phishing | Initial Access | Callback phishing campaigns | MITRE |
Indicators of Compromise (IOCs)
Known IOCs associated with Royal operations
| Type | Value | Description | Last Seen | Actions |
|---|---|---|---|---|
| hash | e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6 | Royal ransomware binary | 2025-01-20 |
IOCs are defanged for safety. Click copy to get the clean value.
Detection Guidance
SIEM and EDR detection recommendations for identifying Royal activity
- 1Monitor for BatLoader activity
- 2Detect callback phishing campaigns
- 3Alert on partial file encryption patterns
Mitigation, Containment & Recovery
Step-by-step guidance for responding to and recovering from this ransomware attack
- 1Block callback phishing domains
- 2Isolate systems
- 3Preserve evidence