3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Royal

Royal

ID: 3e5e6915cdeeeaf6aba6781fc675f77467078
Crimeware Botnet Phishing Kit Ransomware
Threat types: Malware, Intrusion, Data Leak, Phishing, Exfiltration
Unknown
Updated: 2026-01-13
Created: 2025-10-21
Progress: 49% Completeness: 48% Freshness: 50%
Operation zone:
Aliases Limited alias preview
Royal Ransomware Royal Ransomware Group Ro*************
Showing 2 of 3 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

Royal/BlackSuit — human-operated ransomware with callback phishing, credential abuse, rapid lateral movement, data theft, and encryption.


Technique Technique name Tactics Evidence
T1566 Phishing TA0001
  • 2022–2025 — Callback phishing observed as a common Royal initial access vector. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2022–2025 — Use of valid accounts (RDP/VPN/SSO) after social engineering. · ref
T1021.002 SMB/Windows Admin Shares TA0008
  • 2022–2025 — Lateral movement via SMB/PSExec; remote services abused for deployment. · ref
T1041 Exfiltration Over C2 Channel TA0010
  • 2022–2025 — Pre-encryption exfiltration to cloud/services for double-extortion. · ref
T1486 Data Encrypted for Impact TA0040
  • 2022–2025 — Data encrypted for impact during the final stage. · ref
Strategic Intelligence
Limited preview
Last updated: 2025-10-21T22:58:07+00:00
Royal — Human-Operated Ransomware (BlackSuit Lineage)

CLASSIFICATION: Unclassified / Open Source


Executive Summary

Royal is a human-operated ransomware group first observed in 2022 and later associated with the BlackSuit rebrand. Campaigns commonly start with callback phishing leading to hands-on intrusions, credential abuse, rapid lateral movement (RDP/Cobalt Strike/PSExec), data theft, and encryption. Pressure is applied through leak-site shaming and negotiations. Confidence: high.

Closed, profit-motivated crew believed to include former Conti-line operators. Uses leak portals/negotiation sites and a consistent victim-shaming workflow.

Objective: monetize through double-extortion (exfiltration + encryption). Heavy reliance on social engineering for initial access (callback phishing).

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.