Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

U.S. Cybersecurity Agency Raises Alarm Over Royal Ransomware's Deadly Capabilities

Mar 03, 2023Ravie LakshmananEndpoint Security / Ransomware

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a new advisory about Royal ransomware, which emerged in the threat landscape last year.

“After gaining access to victims’ networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems,” CISA said.

The custom ransomware program, which has targeted U.S. and international organizations since September 2022, is believed to have evolved from earlier iterations that were dubbed Zeon.

What’s more, it’s said to be operated by seasoned threat actors who used to be part of Conti Team One, cybersecurity company Trend Micro disclosed in December 2022.

The ransomware group employs call back phishing as a means of delivering their ransomware to victims, a technique widely adopted by criminal groups that splintered from the Conti enterprise last year following its shutdown.

Other modes of initial access include remote desktop protocol (RDP), exploitation of public-facing applications, and via initial access brokers (IABs).

Ransom demands made by Royal vary from $1 million to $11 million, with attacks targeting a variety of critical sectors, including communications, education, healthcare, and manufacturing.

“Royal ransomware uses a unique partial encryption approach that allows the threat actor to choose a specific percentage of data in a file to encrypt,” CISA noted. “This approach allows the actor to lower the encryption percentage for larger files, which helps evade detection.”

Discover the Latest Malware Evasion Tactics and Prevention Strategies

Ready to bust the 9 most dangerous myths about file-based attacks? Join our upcoming webinar and become a hero in the fight against patient zero infections and zero-day security events!


The cybersecurity agency said multiple command-and-control (C2) servers associated with Qakbot have been utilized in Royal ransomware intrusions, although it’s currently undetermined if the malware exclusively relies on Qakbot infrastructure.

The intrusions are also characterized by the use of Cobalt Strike and PsExec for lateral movement, as well as relying on the Windows Volume Shadow Copy Service to delete shadow copies to prevent system recovery. Cobalt Strike is further repurposed for data aggregation and exfiltration.

As of February 2023, Royal ransomware is capable of targeting both Windows and Linux environments. It has been linked to 19 attacks in the month of January 2023 alone, putting it behind LockBit, ALPHV, and Vice Society.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related News

Researcher create polymorphic Blackmamba malware with ChatGPT

Researcher create polymorphic Blackmamba malware with ChatGPT

The malware can target Windows, macOS and Linux devices. HYAS Institute researcher and cybersecurity expert, Jeff Sims, has developed a…
Owner of Breach Forums Pompompurin Arrested in New York

Owner of Breach Forums Pompompurin Arrested in New York

Pompompurin has been charged with a single count of conspiracy to commit access device fraud. Conor Brian Fitzpatrick (aka Pompompurin,…
New Vishing Attack Spreading FakeCalls Android Malware

New Vishing Attack Spreading FakeCalls Android Malware

The attack scheme begins with the FakeCalls malware masquerading as an online banking application of a reputable South Korean financial…