May 9, 2023 - Technology

Inside Royal's ransomware spree against U.S. cities

Illustration of binary code under a box trap

Illustration: Sarah Grillo/Axios

The ransomware gang believed to be behind an ongoing attack on the City of Dallas' systems is made up of some familiar characters.

The big picture: Royal ransomware is thought to include former members of Conti, another notorious, but defunct, Russian ransomware gang, researchers at Palo Alto Networks said in a report released Tuesday.

  • Conti disbanded nearly a year ago after targeting a long list of cities, public schools and even the country of Costa Rica.
  • The group was well organized: It had a human resources department and formal interviewing processes for new members.
  • Now, researchers believe several former core Conti members are behind the Royal gang — and they're furiously targeting public services.

Driving the news: Dallas is one of Royal's most recent targets, prompting the city last week to shut down some of its courts and disrupting some of its 911 emergency services.

  • The city government said in an update Monday that the online 911 system was still being retested to ensure the malware is gone.

By the numbers: Royal has targeted seven local government entities, including the City of Dallas, since 2022, according to the Palo Alto Networks report.

  • Royal has also hit 14 educational institutions since then, per the report.

Yes, but: Pinning down the exact numbers and victimology for ransomware gangs is tricky, considering many organizations never report that they even faced such an attack.

  • Most reports, including Palo Alto's, rely on local news reports, social media listings and any information that the gang has published on dark web sites to extort victims.

Between the lines: It's pretty common for ransomware operators to rebrand their gangs to obfuscate who they are and make it harder to track trends in their attacks.

  • The members of Royal are also believed to have helped develop Ryuk ransomware, the gang that rebranded as Conti in 2020.

Sign up for Axios’ cybersecurity newsletter Codebook here

Go deeper