Royal Ransomware.

A high-impact ransomware family that emerged from former Conti members in early 2022, hit hundreds of U.S. critical-infrastructure victims, and rebranded to BlackSuit in mid-2023 after the City of Dallas attack. It belongs to the Malware category of cybersecurity.

A high-impact ransomware family that emerged from former Conti members in early 2022, hit hundreds of U.S. critical-infrastructure victims, and rebranded to BlackSuit in mid-2023 after the City of Dallas attack.

Royal Ransomware appeared in early 2022 and quickly became one of the highest-impact private (non-affiliate-driven) ransomware operations of 2022–2023, attributed to former members of the Conti syndicate. It used a custom C++ encryptor with intermittent encryption (encrypting only a configurable percentage of each file for speed) and AES + RSA, leaving the `.royal` extension and a `README.TXT` note. The actor was reported to have hit over 350 victims globally, with U.S. CISA/FBI advisories highlighting its targeting of healthcare, education, manufacturing, and government — including the May 2023 attack on the City of Dallas, Texas, which disrupted public-safety services for weeks. Following intense law-enforcement attention, the operation rebranded in mid-2023 as 'BlackSuit', retaining the same encryptor lineage and TTPs (Cobalt Strike, BloodHound, ESXi-targeting Linux variant, double extortion via a leak site, initial access via callback-phishing and stolen credentials). U.S. CISA's #StopRansomware advisory in late 2023 published joint Royal/BlackSuit IOCs and TTPs.

Defences for Royal Ransomware typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: Royal, BlackSuit.