Towards the end of 2022, the operation rebranded into Royal. It has quickly become one of the most active enterprise-targeting ransomware gangs.
While Royal breaches networks using vulnerabilities in devices on the internet, they also use callback phishing attacks to gain initial access to corporate networks.
These callback phishing attacks pretend to be food delivery and software providers.
Instead of containing links to phishing sites, the emails contain phone numbers that the victim can contact to cancel a supposed subscription. In reality, these phone numbers connect to a service hired by the Royal threat actors.
