The Royal ransomware gang has targeted at least 350 organizations worldwide, with their ransom demands exceeding $275 million, and the cybercriminals may be preparing to rebrand their operation, the US cybersecurity agency CISA and the FBI say in an updated alert.

Active since at least September 2022, Royal has been used in attacks against entities in critical infrastructure, education, healthcare, and manufacturing sectors, making ransom demands ranging between $1 million and $11 million, in Bitcoin.

In March 2023, CISA and the FBI issued an alert on the Royal ransomware operation, urging organizations to implement security best practices to protect their environments against Royal and other ransomware attacks.

On Monday, the two US agencies updated their advisory to provide additional indicators of compromise (IoCs) associated with Royal attacks, and to update the list of observed tactics, techniques, and procedures (TTPs).

The update also warns of a potential rebranding of the operation, or at least a spin-off, pointing out that “Blacksuit ransomware shares a number of identified coding characteristics similar to Royal.”

Believed to be operated by a private group, rather than a ransomware-as-a-service (RaaS) operation, Royal typically relies on phishing for initial access.

The group was also seen abusing remote desktop protocol (RDP), exploiting vulnerabilities in web-facing assets, and leveraging initial access brokers to get into victims’ networks.

Post-exploitation, the threat actors use various tools for persistence, lateral movement, and data harvesting and exfiltration. Prior to deploying file-encrypting ransomware, they also delete shadow copies to prevent victims from restoring their data.

CISA and the FBI also warn that the Royal ransomware gang publishes victim data on its leak site, if a ransom is not paid.

“Royal ransomware attacks have spread across numerous critical infrastructure sectors including, but not limited to, manufacturing, communications, healthcare and public healthcare (HPH), and education. CISA encourages network defenders to review the updated CSA and to apply the included mitigations,” the cybersecurity agency notes.

In December last year, Trend Micro linked Royal to the infamous Conti ransomware group, saying that it is a rebranded version of Zeon ransomware, which had been previously associated with one of the groups distributing Conti.

Also in December, the US Department of Health and Human Services (HHS) warned healthcare organizations of Royal ransomware attacks.

Related: City of Dallas Details Ransomware Attack Impact, Costs

Related: CISA Program Warns Critical Infrastructure Organizations Vulnerable to Ransomware Attacks

Related: Why Ransomware Response Matters More Than Protection