.png)
Royal / BlackSuit Ransomware Group Profile (Conti Successor)
Breach Summary
The Royal and BlackSuit ransomware operations represent the evolution of Conti ransomware through a succession of rebranding and restructuring that followed Conti's February 2022 dissolution. Royal emerged in mid-2022 as a sophisticated, highly targeted ransomware operation that explicitly avoided the RaaS model, operating as a private group with handpicked team members. In 2023, Royal rebranded as BlackSuit, continuing operations under new branding while maintaining the same core team and techniques.
What Happened
Royal emerged in September 2022 and quickly became one of the most active ransomware operations targeting US healthcare, with attacks on hospitals in multiple states. CISA published a specific advisory on Royal in March 2023, documenting the group's callback phishing initial access technique and providing detection and mitigation guidance. Royal rebranded as BlackSuit in mid-2023, with security researchers confirming the same core codebase and operational team. BlackSuit claimed responsibility for the CDK Global attack in June 2024, making it responsible for the most operationally disruptive automotive sector ransomware attack in history.
Attack Vector Detail
Royal/BlackSuit is notable for its technical sophistication and selective targeting, focusing on large organizations in healthcare, education, and critical infrastructure. The group uses callback phishing — also known as telephone-oriented attack delivery (TOAD) — as a primary initial access technique, cold-calling victims claiming to be software subscription renewal representatives and directing them to install remote access tools. This technique bypasses email security controls entirely. Royal also exploits unpatched VPN and remote access vulnerabilities as initial access vectors.
Breach Pattern Timeline
Early 2022
Royal ransomware emerges as a private (non-affiliate) ransomware operation operated by individuals previously associated with Conti. Initially uses BlackCat/ALPHV encryptor, then develops custom ransomware.
September 2022
Royal launches its own custom ransomware (replacing BlackCat dependency). Establishes private operations model — fewer affiliates, more direct operator control over targeting and execution.
2022-2023
Royal conducts hundreds of attacks across U.S. and Canadian organizations. Major victims include Dallas City government (May 2023, ~$8.5M impact), Silverstone Circuit (UK F1 venue), Microsoft VSO, and many healthcare and education sector victims.
CISA/FBI March 2023 advisory
FBI and CISA publish joint advisory specifically warning about Royal ransomware. Royal is among the most prolific ransomware operations of 2022-2023.
Mid-2023
Royal ransomware operators rebrand as 'BlackSuit' — same operators, same code base, same operational pattern under new brand. Rebrand likely tied to law enforcement pressure on Royal name.
2023-2024
BlackSuit conducts continued attacks against U.S. critical infrastructure, healthcare, education, and government. Major victims include Kansas City Area Transit Authority, Octapharma Plasma, Kadokawa Corp.
June 2024
BlackSuit deploys ransomware against CDK Global — primary dealership management software (DMS) provider for ~15,000 U.S. car dealerships. CDK reportedly pays ~$25M ransom. Industry-wide $1B+ impact in lost vehicle sales.
2024-2025
BlackSuit remains active major brand. Operations continue under BlackSuit name with same Conti-Royal lineage. Tracked by CISA as one of top-3 most active ransomware brands of 2024-2025.
2025-2026
Royal/BlackSuit lineage establishes the multi-rebrand pattern: Conti → Royal → BlackSuit (with parallel Conti → Black Basta succession). Foundational case for ransomware operator continuity across brand changes and the limits of brand-disruption strategies.
Total impact: Estimated 350+ victims with ~$275M+ in collective ransom demands across Royal+BlackSuit operations 2022-2025, CDK Global ($25M ransom + $1B+ industry impact) and Dallas City attacks among most consequential, foundational precedent for Conti → Royal → BlackSuit operator continuity across rebrand cycles.
Executive Lessons
Royal/BlackSuit's callback phishing technique — calling employees directly and directing them to install remote access tools — represents a threat vector that purely email-focused security awareness programs do not address. The technique exploits the same human authentication vulnerability as Scattered Spider's help desk vishing, extended to non-IT populations. Security awareness programs must address phone-based social engineering beyond the help desk context.
Related Reading
Private Equity Implications
Royal/BlackSuit's targeting of healthcare organizations makes it a direct concern for PE sponsors with healthcare portfolio companies. CISA issued a specific advisory on Royal in March 2023 with detailed detection and mitigation guidance. Healthcare portfolio companies should evaluate callback phishing exposure and implement controls against the remote access tool installation technique that Royal uses as a primary initial access vector.