THREAT ACTOR: Royal Ransomware gang
Royal is an operation that launched in January 2022 and consists of a group of vetted and experienced ransomware actors from previous operations. Royal does not operate as a Ransomware-as-a-Service but is instead a private group without affiliates.
Initially, they used encryptors from other gangs like BlackCat, they quickly switched to using their own encryptors, the first being Zeon which generated Conti-like ransom notes.
Starting in mid-September, the ransomware gang rebranded again to "Royal" and uses a new encryptor that generates ransom notes with the same name. Unusually for a ransomware gang, the group also uses social engineering to trick corporate victims into installing remote access software following callback phishing attacks where the attackers impersonate software providers and food delivery services.