⚠️ Overview

Royal is a ransomware family first observed in January 2022 by security researchers at Unit 42 (Palo Alto Networks) and has been linked to the defunct Conti ransomware group or its splinter factions. It operates as a private ransomware-as-a-service operation, targeting large enterprises across multiple sectors including healthcare, government, and critical infrastructure. The malware is categorized as a data-theft and encryption ransomware, using double extortion tactics to pressure victims.

🔧 Technical Capabilities

Royal encrypts files using a combination of AES and RSA algorithms (specifically AES-256 and RSA-4096) and appends the .royal extension to affected files. It propagates via phishing emails, compromised Remote Desktop Protocol (RDP) endpoints, and exploits known vulnerabilities such as CVE-2023-27350 (PaperCut) and CVE-2021-31207 (Microsoft Exchange). The malware deploys Cobalt Strike for lateral movement and uses a custom data exfiltration tool called Royal Data Theft to steal sensitive files before encryption. Persistence is achieved through scheduled tasks and services, while evasion techniques include disabling antivirus processes (e.g., Windows Defender) and clearing event logs. Command-and-control (C2) communication uses HTTPS over a distributed infrastructure of bulletproof hosting providers, with some variants leveraging TOR-based panels.

📜 History & Notable Incidents

First identified by Trend Micro and the FBI in early 2022, Royal ransomware quickly gained notoriety for high-impact attacks on the City of Oakland (February 2023), the City of Dallas (May 2023), and multiple U.S. healthcare entities, including the non-profit health system St. Joseph’s/Candler. In December 2022, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Royal to its Known Exploited Vulnerabilities catalog, and the FBI issued a Flash Report (TLP:WHITE) detailing indicators and tactics. No known law enforcement takedowns have occurred, but the group is believed to have ties to the now-defunct Conti operation.

🔍 Detection Indicators

Files encrypted by Royal exhibit the .royal extension and a ransom note named !READ_ME_ROYAL.txt or !DECRYPTER_README.txt. Network IOCs include C2 domains hosted on IP ranges from AS63949 (Linode) and AS16509 (Amazon) with user-agent strings like Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 mimicking legitimate browsers. Behavioral signatures involve the creation of scheduled tasks named RoyalUpdate and the deletion of Volume Shadow Copies via vssadmin.exe. Known file hashes (SHA-256) are published in CISA’s alert (AA23-061A) and include 42a1f3... (see official sources).

☠️ Risk & Impact

Royal ransomware causes significant financial losses through ransom demands ranging from $500,000 to over $2 million per incident, with exfiltrated data used as leverage. Attacks on healthcare facilities have led to patient care disruptions, including canceled surgeries and delayed diagnostics. The U.S. government reported that as of March 2023, Royal targeted at least 60 organizations globally, with the healthcare, education, and energy sectors most affected (CISA Joint Cybersecurity Advisory March 2023).

🛡️ Mitigation

Defenders are advised to implement multi-factor authentication, restrict RDP access, and apply patches for CVE-2023-27350 and other known vulnerabilities exploited by Royal. Deploy endpoint detection and response (EDR) tools with rules targeting Cobalt Strike beacons and Royal-specific IOCs, and maintain offline backups in accordance with the 3-2-1 rule.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.