Royal / BlackSuit Ransomware: Threat Actor Profile
Royal evolved into BlackSuit, a Conti-adjacent 'continuity syndicate' tied to $370M+ in ransom payments before a 2025 DOJ takedown seized its infrastructure. Successor risk remains high. A full profile.
Reviewed & fact-checked against primary sources by the TI News Feed Editorial Team. See our editorial & corrections policy.
Royal evolved into BlackSuit and belongs in the 'continuity syndicate' category: a crew that changes branding but preserves tradecraft, operators, and monetization. MITRE ATT&CK tracks Royal as ransomware first appearing in early 2022; CISA later said BlackSuit was the evolution of Royal.
Royal/BlackSuit: at a glance
- Aliases: Royal, BlackSuit (Conti-adjacent lineage)
- Country / affiliation: Russian-speaking criminal ecosystem with Conti-adjacent lineage
- Assessed status (as of July 2026): Disrupted 2025; successor risk
- Primary objectives: Double extortion and affiliate-style monetization
- Financial destruction / gain: >$370 million in combined Royal/BlackSuit ransom payments per post-takedown reporting; DOJ separately seized ~$1.09M from one laundering chain
- Type: ransomware (Conti-lineage continuity syndicate)
Who is Royal/BlackSuit?
By August 2025, the DOJ disrupted BlackSuit infrastructure, seizing four servers, nine domains, and roughly $1.09 million in laundered proceeds from one traced ransom stream. Post-takedown reporting put combined Royal/BlackSuit payments above $370 million. The label is disrupted, but successor risk remains high.
Aliases and attribution
Royal/BlackSuit is widely discussed as having Conti-adjacent lineage within the Russian-speaking cybercrime ecosystem — another branch of the sprawling Conti family tree. Its rebrand from Royal to BlackSuit is a textbook 'continuity syndicate' move, preserving operators and tooling while shedding a burned brand, complicating cyber attribution.
Financial impact and damage
Post-takedown reporting placed combined Royal/BlackSuit ransom payments above $370 million from 350+ victims, including U.S. critical infrastructure and city governments. The 2025 DOJ action (Operation Checkmate) seized servers, domains, and about $1.09 million in traced laundered proceeds. High per-victim demands and targeting of essential services make it one of the more damaging Conti successors.
Royal/BlackSuit timeline
- 2022: Royal ransomware appears
- 2023: ESXi-targeting versions observed
- 2024: BlackSuit identified as the evolution of Royal
- 2025: Operation Checkmate / DOJ disruption seizes infrastructure and funds
Notable attacks and campaigns
Royal/BlackSuit hit U.S. cities and critical infrastructure with high ransom demands, using partial encryption and multithreading to speed impact and evade naive detection. The 2025 Operation Checkmate takedown disrupted the operation, but its Conti-adjacent operators make successor regrouping a live risk.
Tactics, techniques, and procedures (TTPs)
The techniques below are compact, high-confidence mappings to the MITRE ATT&CK framework, drawn from the group's MITRE ATT&CK profile and corroborating government and vendor reporting. The live ATT&CK matrix remains the authoritative reference for full coverage.
- T1083 — File and Directory Discovery: Royal identifies files and directories to exclude from encryption. Hunt for broad pre-encryption enumeration across local and network drives.
- T1490 — Inhibit System Recovery: Royal/BlackSuit runs vssadmin.exe delete shadows /all /quiet. Alert on vssadmin, wmic, and backup-service stop sequences.
- T1486 — Data Encrypted for Impact: Royal uses partial encryption plus multithreading to speed impact. Watch for fast partial-encryption patterns that evade naive detection thresholds.
Detection and defense against Royal/BlackSuit
Royal/BlackSuit's fast partial encryption can slip past simple thresholds, so tune detection accordingly:
- Watch for fast partial-encryption patterns that evade naive volume-based detection.
- Alert on vssadmin, wmic, and backup-service stop sequences.
- Hunt for broad pre-encryption file enumeration across local and network drives.
- Harden ESXi hosts against Royal's virtualization-targeting variants.
- Protect backups offline and enforce MFA and patching on internet-facing entry points.
The bottom line
Royal/BlackSuit is a resilient Conti successor — disrupted by the DOJ in 2025 but built to regroup, keeping successor risk high into 2026. See how Royal/BlackSuit ranks among the most dangerous threat actors, and track its latest activity on our live threat intelligence feed, aggregated from dozens of authoritative sources.
Frequently asked questions
What is Royal / BlackSuit ransomware?
Royal is a ransomware operation that appeared in 2022 and evolved into BlackSuit, a Conti-adjacent 'continuity syndicate' known for high-demand attacks on critical infrastructure and city governments.
How much did Royal / BlackSuit make?
Post-takedown reporting put combined Royal/BlackSuit ransom payments above $370 million from 350+ victims. The DOJ separately seized about $1.09 million from one traced laundering chain.
What was Operation Checkmate?
Operation Checkmate was a 2025 DOJ-led disruption of BlackSuit that seized four servers, nine domains, and roughly $1.09 million in laundered proceeds.
Is Royal / BlackSuit still active?
The brand was disrupted in 2025, but because its operators have Conti-adjacent lineage and a history of rebranding, successor regrouping remains a significant risk.
Primary sources & further reading
This guide is reviewed and fact-checked against authoritative primary sources: