Royal ransomware returns.

May 11 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s all singing, all dancing.

Today’s hottest cyber security stories:

  • Royal ransomware returns…
  • Started from the bottom now we here: RapperBot expands into cryptojacking
  • Food distribution giant Sysco is in a pickle: hackers steal data


Listen up, folks, because we have a real-life drama unfolding in the world of cybercrime. Enter the Royal ransomware group, and man, do they live up to their name! They’ve got an air of superiority about them that would make even the snootiest aristocrat jealous. These cyber hoodlums are the crème de la crème of the criminal underworld, and they’re not afraid to flaunt it.

Now, picture this: you’re innocently going about your business when suddenly you find yourself face-to-face with a ransom note straight out of a cheesy spy movie. Turns out, our friends at Royal dropped this little gem on one of their victims, and the tech gurus at Palo Alto Networks’ Unit 42 got their hands on it.

Here’s the note:

“Most likely what happened was that you decided to save some money on your security infrastructure. Alas, as a result your critical data was not only encrypted but also copied from your systems.”

Geez, blame the victim, much? Talk about rubbing salt in the wound. These cyber baddies sure know how to make an entrance.

Royal is taking the coronation year seriously lol. They’ve been wreaking havoc left and right, targeting critical infrastructure organisations like there’s no tomorrow. According to Unit 42, these guys have already messed with 157 organisations since they burst onto the scene last year. That’s quite the rap sheet!

It seems nobody is safe from Royal’s clutches. They’ve been causing chaos in all sorts of industries, from small independent shops to massive corporations. Manufacturing? Tick! Wholesale and retail? Tick! These cyber rascals are equal opportunity troublemakers.

So, keep an eye out, folks, because the Royal ransomware group is making waves and taking no prisoners. It’s like a real-life game of thrones, except with keyboards and encrypted files.

Winter may be coming, but the Royals are already here. Stay safe out there, friends!


FortiGuard Labs, the fearless defenders against cyber threats, have stumbled upon some fresh samples of the notorious RapperBot campaign! This malware so solid crew has a thing for IoT (Internet of Things) devices, you know, those posh gadgets that make your life a breeze.

This gang has been making the rounds since June 2022, but FortiGuard Labs has been hot on their trail.

Turns out, these campaigns were all about brute-forcing their way into devices with laughably weak or default SSH or Telnet credentials. Why? Well, to expand their botnet, of course! And what do they do with this army of hijacked devices, you ask? They unleash chaos in the form of Distributed Denial of Service (DDoS) attacks.

So time to check yo’ self (your cybersecurity measures, that is!) before you wreck yo’ self, fool!

But hold onto your hats, because things have taken a twist in this latest campaign. These crafty criminals have decided to try their hand at cryptojacking! Suits their name, I guess.

Now, they’re not just satisfied with causing DDoS havoc—they want to mine some digital gold too, targeting Intel x64 machines like they’re on a treasure hunt. I mean, it’s no surprise that rappers like gold.

At first, they played it safe by deploying a separate Monero crypto miner alongside their trusty RapperBot binary. But you know what they say, why do something separately when you can combine it all into one convenient package?

Yep, that’s right. In late January 2023, these sneaky crypto-jacking rappers decided to give their bot a makeover, merging both the RapperBot and the crypto miner into one almighty doomsday device.

Watch each other’s backs out there, yo. Peace!


Sysco, the big cheese in global food distribution, just spilled the beans on a rather unfortunate event. Brace yourselves because this story is sure to spice up your day.

Picture this: earlier this year, a bunch of mischievous attackers snuck into Sysco’s network, as sly as a fox eyeing a chicken coop. These crafty culprits managed to snatch some seriously sensitive information. They got their hands on business secrets, customer data, and even sneaked away with employee records.

The incident gnawed away at customer and supplier data in both the U.S. and Canada, leaving a sour taste in everyone’s mouths. But wait, there’s more! They even nibbled on the personal information of Sysco’s hardworking employees. Talk about an all-you-can-steal buffet!

What Sysco said:

“On March 5, 2023, Sysco became aware of a cybersecurity event perpetrated by a threat actor believed to have begun on January 14, 2023, in which the threat actor gained access to our systems without authorization and claimed to have acquired certain data,”

“The investigation determined that the threat actor extracted certain company data, including data relating to operation of the business, customers, employees and personal data,” the company said.

“The investigation is ongoing, and Sysco has begun the process of preparing to comply with its obligations with respect to the extracted data.”

So there you have it, dear readers. Sysco, the global food distribution maestro, found themselves in quite a pickle.

Now, let’s hope Sysco serves up a dish of justice to those dastardly attackers and keeps their data under lock and key.

Stay spicy, folks!

So long and thanks for reading all the phish!

Recent articles