Under Attack? Contact Us Start a Free Demo

How Royal Ransomware is Spreading its Wings and How to Prevent It

The prevalence of ransomware attacks is on the rise in recent years, and Royal Ransomware is one of the most notorious threats. It is a type of malware that encrypts the victim’s files and demands a ransom payment in exchange for the decryption key. The Royal Ransomware has been in circulation since 2016, and it has been spreading its wings ever since. In this article, we will discuss the background of Royal Ransomware, its exploitation Tactics, Techniques, and Procedures (TTPs), and how to prevent Royal Ransomware attacks.

Background of Royal Ransomware:

Royal Ransomware is a type of file-encrypting malware that emerged in 2016. It is a variant of the Cerber Ransomware, which is a family of ransomware that has been active since 2016. Royal Ransomware is known for its high level of sophistication and its ability to evade traditional security measures. The attackers behind the Royal Ransomware use various techniques to infect their victims, such as phishing emails, malvertising, and exploit kits.

According to CISA “Since approximately September 2022, cyber criminals have compromised U.S. and international organizations with a Royal ransomware variant. FBI and CISA believe this variant, which uses its own custom-made file encryption program, evolved from earlier iterations that used “Zeon” as a loader. Royal actors have made ransom demands ranging from approximately $1 million to $11 million USD in Bitcoin. In observed incidents, Royal actors do not include ransom amounts and payment instructions as part of the initial ransom note. Instead, the note, which appears after encryption, requires victims to directly interact with the threat actor via a .onion URL (reachable through the Tor browser).”

Royal Ransomware Note

Royal Ransomware Note

Exploitation Tactics, Techniques, and Procedures (TTPs) of Royal Ransomware:

The attackers behind the Royal Ransomware use various tactics, techniques, and procedures to infect their victims and evade detection. Here are some of the TTPs of Royal Ransomware:

  • Phishing emails [T1566]:

The attackers behind the Royal Ransomware use phishing emails to lure their victims into clicking on a malicious link or downloading a malicious attachment. The emails are usually disguised as legitimate emails from reputable organizations, such as banks, government agencies, or well-known brands.

  • Malvertising:

Malvertising is a type of online advertising that delivers malware to the victim’s computer when they click on a malicious ad. The attackers behind the Royal Ransomware use malvertising to spread their malware to a large number of victims quickly.

  • Exploit kits:

Exploit kits are toolkits that hackers use to take advantage of vulnerabilities in the victim’s computer. The attackers behind the Royal Ransomware use exploit kits to infect their victims’ computers with malware.

  • Public-facing applications:

FBI has also observed Royal actors gain initial access through exploiting public-facing applications [T1190].

  • Remote Desktop Protocol (RDP) attacks [T1021.001]:

The attackers behind the Royal Ransomware also use RDP attacks to gain access to the victim’s computer. RDP is a protocol that allows users to remotely access a computer over a network connection. The attackers use brute-force attacks to guess the victim’s RDP credentials and gain access to their computer.


Here are some identified Royal Actors ATT&CK Techniques for Enterprise (Source: CISA)

Initial Access
Technique Title ID Use
Exploit Public Facing Application T1190 The actors gain initial access through public-facing applications.
Phishing: Spear phishing Attachment T1566.001 The actors gain initial access through malicious PDF attachments sent via email.
Phishing: Spearphishing Link T1566.002 The actors gain initial access using malvertising links via emails and public-facing sites.
External Remote Services T1133 The actors gain initial access through a variety of RMM software.
Command and Control
Technique Title ID Use
Ingress Tool Transfer T1105 The actors used C2 infrastructure to download multiple tools.
Protocol Tunneling T1572 The actors used an encrypted SSH tunnel to communicate within C2 infrastructure.
                                                              Privilege Escalation
Technique Title ID Use
Valid Accounts: Domain Accounts T1078.002 The actors used encrypted files to create new admin user accounts.
Defense Evasion
Technique Title ID Use
Impair Defenses: Disable or Modify Tools T1562.001 The actors deactivated antivirus protocols.
Domain Policy Modification: Group Policy Modification T1484.001 The actors modified Group Policy Objects to subvert antivirus protocols.
Indicator Removal: Clear Windows Event Logs T1070.001 The actors deleted shadow files and system and security logs after exfiltration.
Remote Desktop Protocol T1021.001 The actors used valid accounts to move laterally through the domain controller using RDP.
Automated Collection T1119 The actors used registry keys to auto-extract and collect files.
Technique Title ID Use
Data Encrypted for Impact T1486 The actors encrypted data to determine which files were being used or blocked by other applications.


How To Prevent Royal Ransomware Attacks:

In addition to having regular backups, implementing multifactor authentication, and disabling unused ports, having an advanced threat detection and prevention solution like ThreatResponder is necessasary.

NetSecurity’s ThreatResponder is a comprehensive, cloud-native solution that provides organizations with an all-in-one solution for preventing cyber attacks. Some of the key features of ThreatResponder include:

  • Endpoint Security: ThreatResponder includes robust endpoint security capabilities that help protect against threats and prevent data loss.
  • Threat Hunting: The solution includes a threat hunting capability that enables organizations to proactively search for and identify potential threats.
  • Forensic Investigation: ThreatResponder provides a comprehensive forensic investigation capability thathelps organizations understand the root cause of a cyber attack and respond accordingly.
  • Vulnerability Management: ThreatResponder includes a vulnerability management capability that helps organizations identify and remediate vulnerabilities in their systems.
  • Real-Time Access to Endpoints: The solution provides real-time access to endpoints, enabling organizations to quickly and effectively respond to threats and contain them.
  • Threat Intelligence: ThreatResponder provides real-time threat intelligence that helps organizations stay ahead of the latest cyber threats.

In addition to these features, ThreatResponder also provides advanced analytics capabilities that help organizations quickly identify and respond to potential threats. The solution is designed to be easy to use, allowing organizations to quickly implement and start using it to prevent cyber attacks.

Want to try our ThreatResponder, cutting-edge Endpoint Detection & Response (EDR), and ThreatResponder FORENSICS, the Swiss knife for forensic investigators in action? Click on the below button to request a free demo of our NetSecurity’s ThreatResponder platform.


The page’s content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that NETSECURITY CORPORATION copyrights the contents of this page. Any violation/misuse/unauthorized use of this content “as is” or “modified” shall be considered illegal and subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).