Summary of Royal Ransomware

  • Royal emerged in January 2022.
  • Royal is a tightly controlled and vetted, affiliate-based, ransomware group.
  • Royal is a multi-pronged extortion threat. The attackers exfiltrate all enticing data prior to encrypting devices. Victims are then extorted into paying the ransom to prevent leakage and decrypt their data.
  • Current intelligence suggests prior links to Zeon ransomware.

What Does Royal Ransomware Target?

  • Large enterprises, high-value targets
  • Targeting will vary depending on subscriber (affiliate)

How Does Royal Ransomware Spread?

  • Phish and spear phishing emails
  • Callback phishing
  • Third party framework (e.g., Empire, Metasploit, Cobalt Strike)

Royal Ransomware Technical Details

Royal ransomware is a newly observed ransomware family with possible links to Zeon ransomware. Victims are targeted through email and phone-based phishing scams. The malware enumerates network shares for maximum targeting and deletes Volume Shadow copies prior to encryption to prevent victims using Windows system restore. Encrypted files are marked with the extension “.royal”.

Royal operators are using phishing and other standard techniques to infect devices. Encrypted files are noted with the “.royal” file extension.

Royal enumerates network share and attempts to delete Volume Shadow copies. Once infected, victims are directed to engage with the attacker via a TOR-based payment portal.

How to Detect Royal Ransomware

  • The SentinelOne Singularity XDR Platform detects and prevents malicious behaviors and artifacts associated with Royal ransomware.

How to Mitigate Royal Ransomware

The SentinelOne Singularity XDR Platform detects and prevents malicious behaviors and artifacts associated with Royal

In case you do not have SentinelOne deployed, to mitigate the risk of a Royal Ransomware attack, it is important to take a multi-layered approach, which includes the following steps:

  1. Implement a strong cybersecurity posture, which includes the use of firewalls, antivirus software, and other security controls, to prevent the spread of malware and ransomware.
  2. Conduct regular security audits and assessments, to identify and address vulnerabilities in the network and the system.
  3. Educate and train employees on cybersecurity best practices, including how to identify and avoid phishing emails, and other threats.
  4. Implement a robust backup and recovery plan, to ensure that the organization has a copy of its data, and can restore it in case of an attack.
  5. Have a plan in place to respond to a ransomware attack, including how to contain the threat, and how to restore the system and the data.

How to Remove Royal Ransomware

  • SentinelOne customers are protected from Royal ransomware without any need to update or take action. In cases where the policy was set to Detect Only and a device became infected, remove the infection by using SentinelOne’s unique rollback capability. As the accompanying video shows,  the rollback will revert any malicious impact on the device and restore encrypted files to their original state.

Royal Ransomware FAQs

What is Royal Ransomware?

Royal Ransomware is malware that locks up files on your computer and demands money for release. Hackers threaten to release your files unless you pay them money. It is dangerous because it can bring businesses to their knees, halt operations, and steal sensitive information. Caution on the internet and strong security software can protect you from it.

When was Royal Ransomware first discovered?

Royal Ransomware first emerged in early 2022. It quickly became popular due to its advanced tactics and the high-demand ransoms requested by attackers. Ever since, it has been striking organizations worldwide, making it a significant threat.

Who is behind Royal Ransomware?

The actual group or operators behind Royal Ransomware remain unknown, but the experts believe that professional cybercriminals operate it. They usually operate as affiliates in ransomware-as-a-service (RaaS) operations, renting out their malware to other hackers for a fee.

What are the common attack vectors used by Royal Ransomware?

Hackers employing Royal Ransomware tend to deceive individuals through phishing emails, software updates that are not real, or by targeting vulnerable security systems. They exploit these means of entry into networks and disseminating the malware. Being vigilant while dealing with emails and maintaining updated software can minimize vulnerability.

How dangerous is Royal Ransomware?

Royal Ransomware is very malicious. It can encrypt crucial files and demand considerable ransoms to decrypt them. It targets companies, hospitals, and schools, causing significant disruptions. Victims are left with lost money and data without backups or strong defenses.

Which encryption algorithm is utilized by Royal Ransomware?

Royal Ransomware uses robust encryption algorithms to encrypt files, which are useless without a decryption key. This strategy forces the victims to pay the ransom unless they possess a backup or alternative.

Can endpoint detection and response (EDR) products stop Royal Ransomware?

Yes, EDR solutions can detect and block Royal Ransomware before harm is caused. They identify unusual system activity and block attacks in real time. Properly configured and regularly updated, they are even more effective.