Royal to BlackSuit Ransomware Lineage
Tracking Royal Ransomware to BlackSuit rebrand and connections to former Conti members.
Continue your mission
Tracking Royal Ransomware to BlackSuit rebrand and connections to former Conti members.
The Royal to BlackSuit ransomware lineage represents one of the most thoroughly documented cases of organized criminal continuity in modern cybersecurity. Beginning with Royal's emergence in September 2022 and culminating in the mid-2023 transition to BlackSuit, this lineage traces directly to the operational core of the Conti ransomware syndicate, whose infrastructure and personnel fragmented following the 2022 Conti leaks. Understanding this lineage matters because it demonstrates a foundational truth about ransomware ecosystems: rebranding is a business and legal strategy, not a technical reset. The skills, tooling, code, and victim-selection logic persist across name changes, making historical threat intelligence operationally relevant long after a group appears to have dissolved.
---
The Royal to BlackSuit ransomware lineage refers to the documented evolutionary chain connecting three distinct ransomware operation identities: Conti (active through mid-2022), Royal (September 2022 through mid-2023), and BlackSuit (mid-2023 to present). This is not a franchise model or an affiliate relationship. It is a direct continuation of the same core team operating under successive brand identities.
Technically, the lineage is characterized by shared encryption architecture, overlapping command-and-control infrastructure, and consistent tool selection across all three generations. Royal and BlackSuit both employ intermittent encryption, a technique where only portions of each file are encrypted rather than the entire file, which dramatically reduces encryption time while still rendering files unrecoverable without the decryption key. Both variants support Windows and Linux/ESXi environments, reflecting a deliberate targeting strategy aimed at enterprise virtualization infrastructure.
This lineage is distinct from ransomware-as-a-service (RaaS) affiliate relationships, where independent operators rent ransomware code from a developer group. Royal and BlackSuit are not affiliate-driven operations in the traditional sense. The core team writes, controls, and deploys the ransomware directly, with selective use of initial access brokers for entry-point purchasing rather than open affiliate programs.
The lineage is also distinct from code-sharing or inspiration, where independent groups study and copy each other's techniques. The connection here is personnel continuity, not technical borrowing. Code similarity analysis by multiple vendors has confirmed that BlackSuit's binary shares structural characteristics with Royal that go beyond coincidence, including function-level similarities in the encryption routine and command-line argument parsing logic.
What this lineage is NOT: it is not a claim that all former Conti members are operating BlackSuit. The Conti dissolution produced multiple successor groups, including ALPHV/BlackCat, Black Basta, and Quantum. The Royal-to-BlackSuit branch represents one specific personnel cluster, the senior technical and operational leadership, rather than the full Conti roster.
---
Initial Access and the Callback Phishing Model
Royal and BlackSuit both rely heavily on callback phishing, also called vishing-based intrusion or telephone-oriented attack delivery (TOAD). This technique inverts the traditional phishing model. Rather than embedding a malicious link or attachment in an email, the attacker sends a benign-appearing email, often formatted as a software subscription renewal notice or a security alert, that instructs the recipient to call a phone number to resolve an issue. When the victim calls, a human operator on the attacker's side socially engineers them into installing remote access software such as AnyDesk or TeamViewer.
This method is effective because it bypasses email security controls entirely. No malicious URL is clicked, no attachment is opened, and no sandbox is triggered. The victim initiates the contact voluntarily, which also reduces skepticism. Once remote access is established, the operator performs manual reconnaissance before deploying additional tools.
Secondary initial access methods include Google Ads abuse, where the group has purchased advertisements for popular software searches that redirect to sites hosting BatLoader, a malware dropper that delivers Cobalt Strike beacons. Public-facing application exploitation, including vulnerabilities in remote desktop protocol services and VPN appliances, has also been documented. Access broker purchases, where the group buys already-established footholds from initial access brokers operating in underground markets, round out the access portfolio.
Post-Compromise Activity and Dwell Time
Following initial access, the group maintains a dwell time of one to seven days before deploying ransomware. During this period, operators conduct internal reconnaissance using tools including net commands, ADFind for Active Directory enumeration, and BloodHound for privilege escalation path analysis. Lateral movement occurs through pass-the-hash techniques, exploitation of misconfigured services, and abuse of legitimate administrative tools including Windows Management Instrumentation and PsExec.
The group uses SystemBC, a proxy malware and remote access tool, to maintain persistence and route command-and-control traffic through SOCKS5 proxies, complicating network-level detection. Cobalt Strike beacons serve as the primary post-exploitation framework for staging additional payloads and maintaining operator control.
Data exfiltration precedes encryption in nearly all observed cases. The group operates a data leak site and practices double extortion: pay to decrypt, or pay to prevent publication of stolen data. Exfiltration occurs through tools including Rclone, which syncs victim data to cloud storage services under attacker-controlled accounts.
Encryption Mechanics
When the operators judge that they have achieved sufficient access and completed exfiltration, they deploy the ransomware binary. The binary accepts command-line arguments that allow operators to target specific file paths, exclude certain directories to preserve system stability, and adjust the intermittent encryption percentage to balance speed against thoroughness.
Royal and BlackSuit both use AES-256 for file content encryption combined with RSA key wrapping, where the AES key is encrypted with an attacker-held RSA public key. This means decryption is mathematically impossible without the attacker's private key, regardless of how much computational power a victim applies to the problem.
Intermittent encryption, typically encrypting every other 16-byte block or a configurable percentage of file content, means the ransomware can process files significantly faster than full-file encryption would allow. For a target with terabytes of data, this can mean the difference between encryption completing before detection versus being stopped mid-run.
A Concrete Scenario
A healthcare system receives an email informing their accounts payable team that their software subscription is being auto-renewed for $499. The email instructs staff to call a number to cancel. An employee calls. The attacker's operator directs them to download AnyDesk for "screen sharing with support." Within minutes, the operator has established a beachhead on a workstation with domain user credentials. Over the following four days, they enumerate the Active Directory, identify backup infrastructure, establish SystemBC persistence, exfiltrate patient records via Rclone to an attacker-controlled cloud account, and disable Windows Defender through a tampered Group Policy object. On day five, the ransomware binary executes across 400 endpoints and 23 ESXi hosts simultaneously. Recovery time: three to five weeks. Ransom demand: $4.2 million.
---
Operational Continuity Survives Rebranding
The primary reason this lineage matters is that organizations and defenders who dismissed Royal as a new unknown threat, or who later dismissed BlackSuit as a separate entity from Royal, discarded accurate and actionable intelligence. The indicators of compromise, behavioral signatures, and negotiation playbooks from Conti remained relevant across all three brand generations. Defenders who integrated the 2022 Conti leak intelligence into their detection logic had measurable advantages against Royal and BlackSuit operations.
The Double Extortion Pressure Point
Without understanding the lineage, organizations may assume that paying the ransom resolves the incident. It does not. The group's data exfiltration capability, consistent across all three brand identities, means that victims face ongoing extortion even after restoring from backups. Healthcare, legal, and financial sector victims are particularly exposed because of regulatory consequences attached to data disclosure. The Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency issued a joint advisory in 2023 attributing over $275 million in ransom demands to Royal across more than 350 victims in the United States and internationally.
What Goes Wrong Without This Understanding
Organizations that treat each ransomware brand as an independent threat miss the compounding intelligence picture. Detection rules tuned specifically to "Royal" naming conventions in ransom notes will fail against BlackSuit deployments. Threat models that exclude certain sectors because they were not Conti targets may be inaccurate because Royal and BlackSuit have broadened sector targeting. Security teams that deprioritize callback phishing training because their email gateway handles phishing miss the mechanism entirely.
Common Misconceptions
A frequent misconception is that paying the ransom guarantees data deletion from the attacker's systems. No payment mechanism enforces this. The group retains exfiltrated data and may sell it independently or use it for secondary extortion months later. A second misconception is that because BlackSuit appears to operate with a smaller, more selective victim pool than Conti's affiliate-driven scale, it represents a lower threat level. Selectivity in this context means the group focuses on high-value targets with greater ability to pay, not that it is less capable or dangerous.
---
CDA's Threat Intelligence Domain (TID) addresses exactly the problem this lineage illustrates: threat actors do not follow the organizational categories defenders impose on them. The Planetary Defense Model's Predictive Defense Intelligence (PDI) methodology, summarized as "see the threat before it sees you," requires analysts to track capabilities and personnel rather than brand names.
In practice, CDA applies PDI to the Royal-to-BlackSuit lineage by maintaining continuous intelligence threads that treat the Conti diaspora as a persistent threat ecosystem rather than a closed historical case. When BlackSuit emerged in mid-2023, CDA's analytical position was that this represented continuation rather than novelty, because the code characteristics, access methods, and negotiation patterns aligned with the established Royal profile, which itself aligned with documented Conti senior-member operational patterns.
CDA's Vulnerability and Security Design (VSD) domain intersects here through architecture recommendations informed by this group's specific tradecraft. Because the group actively disables security tooling through Group Policy tampering and targets backup infrastructure specifically, CDA recommends security architectures that separate backup authentication from domain authentication, enforce endpoint detection agent tamper protection at the kernel level, and implement network segmentation that prevents lateral movement from workstation segments to hypervisor management networks.
CDA differs from standard threat intelligence providers in one operational respect: intelligence products are tied directly to detection engineering outputs. A threat report on BlackSuit at CDA generates corresponding Sigma rules for SystemBC network behavior, YARA rules for the BlackSuit binary's encryption routine structure, and specific canary file configurations calibrated to the group's observed file targeting logic. Intelligence that does not produce detection artifacts is treated as incomplete.
The Conti leak corpus, specifically the leaked Jabber chat logs and training materials, remains active reference material in CDA's analytical database because it documents the internal methodology, negotiation scripts, and technical training approaches of the same personnel now operating as BlackSuit.
---
---
---
CDA Theater missions that address topics covered in this article.
Lazarus Group is North Korea's primary advanced persistent threat operation, operating under the RGB (Reconnaissance General Bureau), the DPRK's primary foreign intelligence service.
Salt Typhoon is a Chinese state-sponsored advanced persistent threat (APT) group that conducts signals intelligence collection operations against telecommunications infrastructure.
Evidence collection, chain of custody, forensic imaging, and analysis techniques for incident investigations.
Written by CDA Editorial
Found an issue? Help improve this article.