The Crowned Lock: Royal / BlackSuit

Threat Intelligence Tarot

Vol. II · 133

Criminal (Russian-speaking, Conti-aligned)

★★★★★

risk 5/5

✦ The Crowned Lock ✦

Royal / BlackSuit

Royal Ransomware · BlackSuit · DEV-0569 (early) · Conti-aligned

Critical infrastructureHealthcareManufacturingGovernmentEducation

Active since ~2022 · Extortion, Financial gain

The Crowned Lock declared itself royalty after Conti's abdication — same court, new heraldry, same dungeons full of municipal databases. The seal on the ransom note matters less than the keys it holds.

Tactics & Techniques

RCN

RDV

INI

EXC

PRS

PRV

EVA

CRD

DSC

LAT

COL

EXF

IMP

T1566.002

Spearphishing Link

Initial Access

T1190

Exploit Public-Facing Application

Initial Access

T1486

Data Encrypted for Impact

Impact

T1490

Inhibit System Recovery

Impact

T1489

Service Stop

Impact

T1041

Exfiltration Over C2 Channel

Exfiltration

Notable Operations

◆City of Dallas attack disrupting municipal services (May 2023)
◆$275M+ in cumulative ransom demands across 350+ victims (CISA estimate)
◆Callback phishing leading to remote-access tool deployment
◆Rebrand from Royal to BlackSuit (mid-2023)

Defenses

▸
Immutable backups with isolated recovery environments
CIS Control 11 ↗
▸
Remote management tool inventory and allowlisting
NIST CSF: ID.AM ↗
▸
Callback phishing awareness in user security training
NIST CSF: PR.AT ↗
▸
Tested incident response and ransomware tabletop exercises
NIST SP 800-61 ↗

Reversed: Their Weakness

Backup immutability, callback phishing awareness, and remote-access tool inventories collapse the playbook this crown depends on. The throne is rented from defenders' inattention.

Share this adversary profile

Compare →

← → arrow keys to browse

swipe to browse

← PreviousThe Customs Officer Next →The Petrifying Gaze

Related Adversaries

The Self-Encrypting Thorn

Cactus

3 shared TTPs

★★★★★

Data sourced from MITRE ATT&CK. For educational purposes.