Ransomware Leak Sites


Active Since

September 2022 (last active July 2023)

Total Victims as of January 2024


Known Forum Aliases


Active Forum Accounts


Top Targeted Geographies

US, Canada, Germany

Royal isn’t a RaaS group and doesn’t appear to work with affiliates.

There is speculation that Royal is composed of former members of Conti ransomware gang, due to their use of similar ransom notes and callback phishing techniques.

Royal initially used third-party ransomware including BlackCat and Zeon before developing its own malware, written in C++, that infects Windows systems and deletes all Volume Shadow Copies to prevent data recovery. In February 2023, Royal operators added the ability to encrypt Linux devices and target VMware ESXi virtual machines.

In March 2023, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory on Royal, warning that the group targets critical infrastructure sectors.

Royal’s leak site hasn’t been active since July 2023 and researchers have drawn similarities between its ransomware strain and that of a newer operation called BlackSuit, which could suggest Royal has rebranded.

The Beacon Newsletter

Get news, insights & intelligence straight to your inbox