Need cloud computing? Get started now

What Is Royal Ransomware?

Royal ransomware is a sophisticated form of malware that encrypts files in a victim’s IT environment, making the files inaccessible to users. The cybercriminals behind Royal ransomware attacks then demand a ransom in exchange for decryption keys that restore access to the files.

In addition to encrypting files, Royal ransomware discovers and exfiltrates high-value data and sensitive information. This practice allows attackers to extort victims a second time by threatening to publish the stolen data on a leak site if the victim does not pay a ransom. Ransom demands typically range from $250,000 to over $2 million.

Unlike other high-profile ransomware groups that often lease their malware to affiliates in a ransomware as a service (RaaS) business model, the Royal group appears to keep tight control over their code. Cybersecurity experts believe the group is quite experienced, as they have been quick to adapt to new tactics. Royal initially targeted Microsoft Windows environments, but the group has also also developed Linux-based variants, including code that targets ESXi servers, which can significantly impact enterprise data centers and virtualized storage.

An example of a Royal ransomware notice that appears on victims’ computer screens. An example of a Royal ransomware notice that appears on victims’ computer screens.

A history of Royal ransomware

Analysts believe that Royal ransomware first emerged in January 2022, and it was quite active in the last part of that year. In late 2022, Royal was among the most prolific ransomware groups, along with LockBit and BlackCat. The Royal ransomware gang is thought to be a Russian-speaking group that uses advanced techniques for infiltration and exfiltration. Analysts at Trend Micro and other security firms believe that Royal is a rebranding of Zeon ransomware. Royal also shares many similarities with other forms of ransomware. For example, Royal initially used the encryptor from BlackCat ransomware and later dropped ransom notes that were similar to Conti ransomware. Researchers thus suspect the group is made up primarily of former members of the Conti ransomware group, which previously had connections to Ryuk ransomware. This suggests the operators have many years of experience in carrying out sophisticated cyberattacks. As of late 2023, authorities suspect the Royal gang may be rebranding itself as BlackSuit ransomware, since both groups use similar code and methodologies. The Royal ransomware group has targeted many critical infrastructure sectors, including chemical, communications, manufacturing, dams, defense industry, financial services, healthcare, waste, nuclear energy, and emergency services. As of November 2023, Royal had targeted more than 350 known victims worldwide, collecting ransom payments that totaled more than $275 million.

Distribution of Royal ransomware

The threat actors behind Royal cyberattacks often use phishing and spear-phishing emails as well as callback phishing scams to disseminate the ransomware. A callback phishing scam dupes users into installing remote access malware that allows the ransomware gang to easily infiltrate the user’s machine. Additional attack vectors and initial access tactics include:

  • Embedding Royal code in malware threats like Batloader and IcedID
  • Using Trojans — legitimate software that has been weaponized with malware and that’s made available for download on authentic-looking sites
  • Abusing Remote Desktop Protocol (RDP) applications
  • Exploiting vulnerabilities in web-facing assets
  • Abusing business website contact forms to spread malicious links
  • Malvertising through Google ads

How Royal ransomware works

Once Royal ransomware has infected a victim’s IT environment, the ransomware operators use various tactics, techniques, and procedures (TTPs) to maximize the impact of the attack.

  • Evade defenses. To evade defenses, Royal uses tools like PCHunter and Process Hacker to manually uninstall antivirus products on the victim’s machines.

  • Perform reconnaissance. Using tools like NetScan, PsExec, and AdFind, Royal ransomware collects data about the victim’s Active Directory and connected systems. The Royal operators may also download additional second-stage payloads.

  • Escalate privileges. Attackers use lateral movement to harvest credentials from infected hosts and to compromise cloud service accounts.

  • Exfiltrate data. After identifying high-value targets during reconnaissance, Royal exfiltrates sensitive data using legitimate pen testing tools like Cobalt Strike.

  • Prevent recovery. Royal deletes volume shadow copies before encrypting files, preventing victims from using Windows System Restore to recover data.

  • Encrypts files. Royal encrypts files using a 64-bit executable written in C++ for encrypting files on Microsoft Windows systems. To evade anti-ransomware defenses, Royal uses partial encryption to encrypt a predetermined portion of file content. Royal also uses multiple threads to accelerate the encryption process. Encrypted files are marked with the file extension “.royal”.

  • Demand a ransom. Royal threat actors typically do not include ransom amounts in the initial ransom note. Instead, a README.txt file in each affected directory directs victims to a Tor-based portal for communication with the ransomware group.

Mitigating Royal ransomware

To prevent and detect Royal ransomware attacks, IT and security teams must adopt multiple layers of mitigations and defenses.

  • Microsegmentation: Narrowly segmenting networks and individual assets prevents attackers from moving laterally through the network, limiting the potential damage of a Royal ransomware attack.

  • Continuous monitoring: IT teams should monitor for the latest indicators of compromise and configure alerts for activation of Cobalt Strike and similar tools, and for disablement of any antivirus software.

  • Zero Trust architecture: Adopting a Zero Trust approach to security mitigates ransomware by requiring all users and devices to authenticate on every request and by strictly limiting access privileges.

  • Cybersecurity defenses: To achieve a strong cybersecurity posture, IT teams may deploy firewalls, antivirus software, anti-malware technology, email filtering, application allowlisting, and other defenses that are informed by up-to-the-minute threat intelligence.

  • Security audits: Regularly auditing and assessing security controls helps to identify and remediate vulnerabilities in the network.

  • Security training: Educating employees on best practices for cybersecurity hygiene can help them to spot and avoid phishing emails and other threats.

  • Backups: Regularly backing up data and keeping a copy in offline storage enables IT teams to quickly restore data in the event of an attack.

  • Identity and access management (IAM): Multi-factor authentication and the use of strong passwords prevents unauthorized access by ransomware operators.

  • Endpoint security: Endpoint detection and response (EDR) solutions monitor and restrict executable paths to minimize the risk of ransomware on individual devices like mobile phones, laptops, and PCs.

  • Updates and patches: To remediate vulnerabilities in software and operating systems that attackers may exploit, IT teams must adopt an optimal cadence for installing updates and applying patches.

Removing Royal ransomware

As with many other forms of ransomware, eradication requires IT teams to perform several key steps as part of a well-crafted incident response plan.

  • Isolate infected systems: Any infected machines or drives should immediately be disconnected from the internet, the network, and any other systems to prevent additional infection.

  • Contact professionals: Security firms that specialize in ransomware removal can offer expert support in the aftermath of a ransomware attack.

  • Identify the infection: By identifying the strain of ransomware, IT teams can determine the best way to eradicate the code and search for any potential decryption tools.

  • Remove the ransomware: Using special tools, IT teams may clean affected drives, remove exploit kits, and remediate any vulnerabilities that attackers may have used to reinstall the ransomware.

  • Recover data: IT teams can then restore files from a clean backup copy.

  • Contact authorities: The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) urge all victims to report ransomware incidents to local offices whether a ransom was paid or not.

A double extortion ransomware attack essentially combines ransomware with the threat of a data breach. Before they encrypt a victim’s files, attackers transfer valuable data and sensitive information to an external server and threaten to leak it if the ransom is not paid.

IOCs of Royal ransomware include .royal extensions added to filenames, detection of known malicious IP addresses and domains, and a README.txt ransom note left in directories of encrypted files.

Ransomware as a service (RaaS) is a business model in which ransomware operators “lease” their malware to other hackers for a percentage of the ransom proceeds. These “affiliates” can then carry out sophisticated attacks on victims, despite having little expertise or experience in conducting ransomware attacks.

Why customers choose Akamai

Akamai is the cybersecurity and cloud computing company that powers and protects business online. Our market-leading security solutions, superior threat intelligence, and global operations team provide defense in depth to safeguard enterprise data and applications everywhere. Akamai’s full-stack cloud computing solutions deliver performance and affordability on the world’s most distributed platform. Global enterprises trust Akamai to provide the industry-leading reliability, scale, and expertise they need to grow their business with confidence.

Explore all Akamai security solutions