top of page
  • Writer's pictureInception Security

Royal Ransomware Group

Since September 2022, cybersecurity threats have taken a new turn with the advent of the Royal ransomware variant. These cybercriminals have successfully infiltrated numerous U.S. and international organizations, causing significant disruptions and financial loss.

This variant, which employs its custom-made file encryption program, is believed to have evolved from earlier versions that used 'Zeon' as a loader. Its modus operandi is consistent yet effective: after penetrating the victims' network, Royal Actors disable antivirus software, exfiltrate vast data, and ultimately deploy the ransomware, encrypting the entire system.

The Royal Actors have cast a wide net, targeting numerous critical infrastructure sectors. These include Manufacturing, Communications, Healthcare and Public Healthcare (HPH), and Education. The consequences of these attacks are far-reaching and can severely affect the operations and reputation of impacted organizations.

Royal ransomware utilizes a unique partial encryption technique, enabling the threat actor to select a specific percentage of data within a file for encryption. This approach allows the attacker to decrease the encryption percentage for larger files, making it easier to evade detection. Besides encrypting files, Royal actors also employ double extortion tactics by threatening to publicly release the encrypted data if the victim refuses to pay the ransom.

Tactics and Techniques

Initial Access

Royal actors gain initial access to victim networks in various ways, including:

  • Phishing: According to third-party reports, Royal actors most frequently gain initial access to victim networks via successful phishing emails. Victims have been known to unknowingly install malware that delivers Royal ransomware after receiving phishing emails containing malicious PDF documents and malvertising.

  • Remote Desktop Protocol (RDP): RDP compromise is the second most common vector Royal actors use for initial access.

  • Public-facing applications: FBI observations reveal that Royal actors gain initial access by exploiting public-facing applications such as Citrix Gateways.

  • Brokers: Reports from trusted third-party sources suggest Royal actors may leverage brokers to gain initial access and source traffic by harvesting VPN credentials from stealer logs.

Command and Control

After gaining access to the network, Royal actors communicate with command and control (C2) infrastructure and download multiple tools. Royal operators repurpose legitimate Windows software to strengthen their foothold in the victim's network. Royal operators have recently been observed using Chisel, a tunneling tool transported over HTTP and secured via SSH, to communicate with their C2 infrastructure.

Lateral Movement and Persistence

Royal actors often use RDP to move laterally across the network. Microsoft Sysinternals tool PsExec has also been used to aid lateral movement. FBI has observed Royal actors using remote monitoring and management (RMM) software, such as AnyDesk, LogMeIn, and Atera, for persistence in the victim's network. Sometimes, the actors moved laterally to the domain controller, using a legitimate admin account to log on remotely.


Royal actors exfiltrate data from victim networks by repurposing legitimate cyber pentesting tools, such as Cobalt Strike, and malware tools and derivatives, such as Ursnif/Gozi, for data aggregation and exfiltration.


Before initiating the encryption process, Royal actors use Windows Restart Manager to determine whether targeted files are currently in use or blocked by other applications. They also use Windows Volume Shadow Copy service (vssadmin.exe) to delete shadow copies to prevent system recovery. FBI has discovered numerous batch (.bat) files on impacted systems, typically stored as encrypted 7zip files.

Malicious files have been found in victim networks in the following directories:


Tools Used by Royal Actors

The Royal Actors are known for deploying various tools in their operations, ranging from Remote Access Trojans (RATs) to ransomware executables. Their diverse toolkit enables them to carry out complex attacks and easily evade detection. Some of the primary tools utilized include:

  • AV Tamper: Used to disable or hinder antivirus software, enhancing the threat actor's evasion capabilities.

  • TCP/UDP Tunnel over HTTP (Chisel): A fast TCP/UDP tunnel over HTTP, used to connect network services and transfer data securely.

  • Ursnif/Gozi: A notorious banking Trojan used to steal banking credentials and other sensitive information.

  • Exfil: Used to exfiltrate data from compromised systems.

  • Remote Access (AnyDesk, SplashTop, Atera): A popular remote desktop software used to gain control over infected systems.

  • PowerShell Toolkit Downloader: Used to download and execute additional malicious scripts or payloads.

  • PsExec (Microsoft Sysinternals): A Microsoft tool repurposed to execute processes on other systems.

  • Keep Host Unlocked (Don’t Sleep): Used to prevent systems from going into sleep mode, ensuring uninterrupted malicious activities.

  • Ransomware Executable (sys.exe): Encrypt data on infected systems, usually followed by a ransom demand.

  • Windows Command Line (NirCmd): A multipurpose command-line utility used to perform various system-level operations.

  • System Management (NSudo): A powerful system management tool used to execute commands with high privileges.

  • Impacket: A popular tool used by threat actors to deploy tools.

Staying Secure Against the Threat

As we can see, the Royal Actors' tactics are comprehensive and diverse, making them a formidable threat to businesses of all sizes. However, you can significantly mitigate their potential impact with a robust security strategy.

Here are some steps your organization can take to protect against this threat:

  1. Regularly Patch and Update Systems: Ensure your software, especially public-facing applications, are always up-to-date with the latest patches. This practice can prevent attackers from exploiting known vulnerabilities.

  2. Implement a Strong Email Security Policy: Given the Royal Actors' reliance on spear phishing, a stringent email security policy is crucial. This includes training employees to recognize phishing attempts and implementing email filtering solutions to catch malicious emails.

  3. Restrict Privileges and Monitor Account Activity: Minimize the number of accounts with high privileges and monitor their activity. Unusual behavior, such as creating new admin accounts, can signify a breach.

  4. Invest in Robust Security Solutions: Utilize security solutions that can detect and prevent the tools used by Royal Actors. This includes antivirus software, intrusion detection systems, and firewalls.

  5. Regular Backups and Disaster Recovery Plans: Regularly back up important data and have a disaster recovery plan. This can limit the impact of ransomware attacks.

  6. Maintain and Analyze System Logs: Regularly reviewing and analyzing system and security logs can help identify malicious activities early on.


In conclusion, the threat landscape continues to evolve, with cybercriminals adapting their tactics and improving their malicious software to increase the effectiveness and reach of their attacks. The Royal ransomware group is a testament to this fact, demonstrating an evolution in ransomware capabilities that organizations must adapt to confront. Dealing with such evolving threats requires proactive cybersecurity measures and a comprehensive understanding of the strategies and tactics employed by threat actors. This is where Inception Security can be your most trusted ally. We can help your organization build robust defenses against Royal ransomware and similar threats. From initial access to data exfiltration, our solutions and services are designed to address every stage of a cyberattack, ensuring maximum protection for your critical data and infrastructure. With Inception Security, you can navigate the evolving cyber threat landscape with confidence and resilience.


bottom of page