Ransomware attack capitalizes on Citrix vulnerability against a small American enterprise

In a significant development in the world of cybersecurity, ransomware group Royal has emerged as the most active threat group globally, displacing LockBit. This shift was first observed in November 2022, according to various security researchers.

The group, which first emerged in January 2022, has been making headlines for its aggressive tactics and high-profile attacks. One of its most notable actions was the takeover of the U.K. racing venue Silverstone Circuit in November.

Research from Avertium indicates that Royal primarily targets organisations in the United States. The group's modus operandi involves delivering malware through malicious Google ads and attachments, rather than operating as a ransomware-as-a-service provider.

The group's success can be attributed, in part, to the exploitation of a critical vulnerability in Citrix products. The vulnerability, identified as CVE-2022-27510, allows an attacker to bypass authentication measures in Citrix's Application Delivery Controller and Gateway products. This is the first known exploit of the CVE-2022-27510 Citrix vulnerability.

However, since November 2022, there have been no specific or updated details about the CVE-2022-27510 vulnerability or related Citrix activities in the provided search results. The latest information relates to different Citrix vulnerabilities from 2025, such as CVE-2025-5777, with no mention of CVE-2022-27510 or Citrix's actions on that since late 2022.

Corporate stakeholders are increasingly seeking to better understand the risk calculus of their technology stacks in light of such developments. The evolving role of Chief Information Security Officers (CISOs) involves a better understanding of the risk calculus of technology stacks, as stakeholders grapple with the question: Are we a target?

It's important to note that no immediate comment was available from a spokesperson for Citrix regarding the exploitation of the CVE-2022-27510 vulnerability by ransomware group Royal.

Royal initially used an encryptor from the group BlackCat, but later transitioned to using their own Zeon encryptor. The ransom notes left by Royal are similar to those left by the Conti group, according to Avertium.

As the digital landscape continues to evolve, it's crucial for organisations to stay vigilant and proactive in their cybersecurity measures. The exploitation of vulnerabilities like CVE-2022-27510 serves as a stark reminder of the importance of regular updates, robust security protocols, and a comprehensive understanding of the risks posed by various threat actors.