{
	"id": "ccc8f6b2-8fa0-4dbb-a4fd-d621edd83e92",
	"created_at": "2026-04-06T00:16:43.859957Z",
	"updated_at": "2026-04-10T03:23:51.191146Z",
	"deleted_at": null,
	"sha1_hash": "10fde5c290527d2a118f274116cdd29407ecdb22",
	"title": "Royal Ransomware Deep Dive",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2243491,
	"plain_text": "Royal Ransomware Deep Dive\r\nPublished: 2023-02-13 · Archived: 2026-04-05 18:43:19 UTC\r\nThe threat actor group behind Royal ransomware first appeared in January 2022, pulling together actors\r\npreviously associated with Roy/Zeon, Conti and TrickBot malware. Originally known as “Zeon” before renaming\r\nthemselves “Royal” in September 2022, they are not considered a ransomware-as-a-service (RaaS) operation\r\nbecause their coding/infrastructure are private and not made available to outside actors. Since the start of 2023,\r\nthey have escalated their attacks to focus on top tier corporations for larger ransoms. Their ransoms reportedly\r\nrange from $250,000 to over $2 million. Although known for using the double extortion method of both\r\nencrypting and exfiltrating data, as of this writing the group does not have a data leak site where they publish the\r\nnames of their victims.\r\nUntil recently, the Royal group was observed primarily targeting systems running Windows operating system;\r\nhowever, reports surfaced in February 2023 of a variant able to compromise Linux/virtual machines.\r\nTo gain initial access into a victim network, the group has seemed to favor call-back phishing ploys, often\r\nimpersonating food delivery or software providers needing subscription renewals. After a victim calls the\r\ntelephone number in the phishing email to dispute/cancel the supposed subscription, the victim is persuaded by the\r\nthreat actor to install remote access software on their computer, thereby providing the actors with initial access to\r\ntheir organization’s network.\r\nOpen and closed-source intelligence has also reported the group exploiting web vulnerabilities to compromise\r\nnetworks, indicating a potentially greater level of sophistication than the call-back scheme suggests. Another\r\ninitial access method associated with the group is the abuse of Google Ads to deliver malware: users browsing the\r\ninternet click on ads they believe to be legitimate, but ultimately lead to downloads of BatLoader, a multifaceted\r\ninitial access malware. Other tools utilized by Royal include the post exploitation framework Cobalt Strike for\r\npersistent access along with PowerSploit, common remote access tools and exfiltration tools such as MegaCMD\r\nand SharpExfiltrate.\r\nKroll Case Study\r\nhttps://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive\r\nPage 1 of 12\n\nFigure 1 - Tactics, Techniques and Procedures (TTPs) of Recent Royal Ransomware Investigation\r\nInitial Exploit\r\nIn one incident, Kroll’s review of the available evidence suggested that the Royal ransomware actors likely gained\r\naccess into the environment by purchasing their way in from an unrelated actor; many actors are known to serve\r\nas “brokers” for such access. Kroll determined that a renamed version of the remote access and management\r\nsoftware NetSupport Manager was installed during a previous incident on the victim’s network. In Kroll’s\r\nexperience investigating similar attack patterns, a phishing email most likely delivered an .iso file for the\r\nsoftware; however, due to the passage of time and normal rollover of logs, no remnant of a potential phishing\r\nemail existed at the time of the investigation. In Kroll’s experience, the time between the initial installation of the\r\nremote access tool and when it was ultimately used by Royal ransomware actors indicated that the software was\r\nnot installed by the ransomware actors, but rather they purchased the access.\r\nMITRE ATT\u0026CK: T1588: Obtain Capabilities\r\nInternal Scouting\r\nKroll observed the Royal actors using the network scanning tool Netscan to identify network shares and other\r\nnetwork information. While Netscan is legitimate open-source software, many threat actors are known to use it for\r\nreconnaissance because the tool is lightweight and provides an extensive suite of network scanning capabilities.\r\nADFind was also identified as a method to enumerate domain members and groups. In addition, the threat actors\r\nused batch scripts to ping, or identify, other systems on the network, along with common commands such as “net\r\nuser” and “net localgroup” to gain an understanding of the environment.\r\nhttps://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive\r\nPage 2 of 12\n\nMITRE ATT\u0026CK: T1087: Account Discovery\r\nMITRE ATT\u0026CK: T1016: System Network Configuration Discovery\r\nMITRE ATT\u0026CK: T1135: Network Share Discovery\r\nToolkit Deployment\r\nThe Royal threat actors leveraged legitimate remote access tools such as Splashtop, Atera Agent and AnyDesk to\r\nmaintain command and control (C2) within the environment. The use of all of these tools is not uncommon, as\r\nthey provide guaranteed persistence by ensuring a number of channels are available for re-entry. The actors\r\nadditionally deployed Cobalt Strike to maintain control via an HTTPS malleable C2 configuration, commonly\r\nwith recently registered domains (Figure 2).\r\n\"HttpPostUri\": \"/jquery-3.3.2.min.js\",\r\n\"Malleable_C2_Instructions\": [\r\n \"Remove 1522 bytes from the end\",\r\n \"Remove 84 bytes from the beginning\",\r\n \"Remove 3931 bytes from the beginning\",\r\n \"Base64 URL-safe decode\",\r\n \"XOR mask w/ random key\"\r\n ],\r\nFigure 2 - Malleable Cobalt Strike C2 Configuration\r\nMITRE ATT\u0026CK: T1219: Remote Access Software\r\nMITRE ATT\u0026CK: T1001: Data Obfuscation\r\nMITRE ATT\u0026CK: T1573.001: Encrypted Channel: Symmetric Cryptography\r\nTo enable the deployment of the ransomware, Royal actors are known to disable antivirus software, such as\r\nMicrosoft Defender, with PowerShell commands (Figure 3) as well as tools such as PowerTool64.exe and GMER\r\nto remove endpoint detection and response (EDR) software. Both GMER and PowerTool64 are designed to\r\nremove rootkit type malware, but can also be used maliciously to remove applications at the kernel level. These\r\ntools can prevent the creation of handles, threads and processes from software such as EDR, which in turn can\r\nprevent the detection of other malicious tools.\r\nC:\\Windows\\system32\\windowspowershell\\v1.0\\powershell.exe -Command Set-MpPreference -DisableRealtimeMonitoring\r\nFigure 3 - PowerShell Command to Disable Windows Defender\r\nMITRE ATT\u0026CK: T1562.001: Impair Defenses: Disable or Modify Tools\r\nEscalation\r\nOur investigators observed the threat actors leveraging the common post exploitation tool PowerSploit, in\r\nparticular via the Find-LocalAdminAccess module, in order to identify machines where the current user has local\r\nadministrator privileges (Figures 4 and 5).\r\nhttps://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive\r\nPage 3 of 12\n\npowershell -nop -exec bypass -EncodedCommand SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbA\r\nFigure 4 - PowerShell PowerSploit Execution\r\nIEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:18015/'); Find-LocalAdminAccess\r\nFigure 5 - PowerSploit Find-LocalAdminAccess\r\nMITRE ATT\u0026CK: T1807.001: Account Discovery: Local Account\r\nLateral Movement\r\nRoyal actors leverage the information gained from PowerSploit to navigate around the network via Remote\r\nDesktop Protocol (RDP) before installing remote access tools and disabling antivirus/EDR as they land on new\r\ndevices. Cobalt Strike is also used to pass explicit credentials to conduct activities across the network.\r\nMITRE ATT\u0026CK: T1021.001: Remote Services: Remote Desktop Protocol\r\nMission Execution\r\nAs Royal actors employ the double extortion strategy, one of their main aims is to identify and exfiltrate sensitive\r\ninformation. The group uses a number of tools to extract files to cloud storage stealthily via automations,\r\nincluding SharpExfiltrate and Megacmd.exe.\r\nMITRE ATT\u0026CK: T1537: Transfer Data to Cloud Account\r\nMITRE ATT\u0026CK: T1020: Automated Exfiltration\r\nOnce data is exfiltrated, Royal actors will then execute the ransomware binary. This is typically undertaken by a\r\nbatch script that lists computers, the unique identification key and the percentage of file encryption to use in\r\nvalues between 1 and 100 (Figure 6).\r\nstart locker.exe -ep 5 -id -path \\\\ENDPOINT.DOMAIN.COM\\C$\r\nstart locker.exe -ep 5 -id -path \\\\ENDPOINT2.DOMAIN.COM\\C$\r\nstart locker.exe -ep 5 -id -path \\\\ENDPOINT3.DOMAIN.COM\\C$\r\nFigure 6 - Example Batch Script to Launch the Ransomware Binary\r\nMITRE ATT\u0026CK: T1059.003: Command and Scripting Interpreter: Windows Command Shell\r\nMITRE ATT\u0026CK: T1064: Scripting\r\nThe analyzed sample depicted in Figure 7 is a 32-bit Portable Executable written in C++; Kroll’s malware analysis\r\nteam was able to determine the exact date and time when this was compiled. When run from the command line,\r\nthe ransomware accepts three arguments:\r\n-path (the path to be encrypted)\r\nhttps://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive\r\nPage 4 of 12\n\n-id (a 32-character alphanumeric ID unique to the victim, which will also be appended to the Tor URL)\r\n-ep (percentage of the file to be encrypted. It accepts values between 1 and 100, and if a value is given that\r\nis not in the range 1-100, the ransomware will encrypt 50%)\r\n \r\nFigure 7 - Ransomware Configuration Detailing Command Arguments\r\nAfter parsing the command line arguments, the ransomware deletes the Volume Shadow Copies to prevent\r\nrestoration (Figure 8). It achieves this by creating a new vssadmin.exe process with the argument \"delete shadows\r\n/all /quiet\".\r\nhttps://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive\r\nPage 5 of 12\n\nFigure 8 - Ransomware Configuration Detailing Volume Shadow Copy Deletion\r\nThe ransomware ensures that the -id parameter is 32 characters long and that the current path does not contain\r\ncertain file extensions (such as .exe, .dll or .bat) or already encrypted files (with extension .royal). It then proceeds\r\nwith the encryption routine, which uses Advanced Encryption Standard (AES). It finally writes the ransom note in\r\na file named “README.TXT” (Figure 9). The note’s text is contained within the .rdata section of the executable,\r\nalong with the RSA public key and other strings used by the program.\r\nHello!\r\nhttps://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive\r\nPage 6 of 12\n\nIf you are reading this, it means that your system were hit by Royal ransomware.\r\nPlease contact us via :\r\nhttp[:]//royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid[.]onion/\r\nIn the meantime, let us explain this case.It may seem complicated, but it is not!\r\nMost likely what happened was that you decided to save some money on your security infrastructure.\r\nAlas, as a result your critical data was not only encrypted but also copied from your systems on a secure server\r\nFrom there it can be published online.Then anyone on the internet from darknet criminals, ACLU journalists, Chin\r\nand even your employees will be able to see your internal documentation: personal data, HR reviews, internal law\r\nFortunately we got you covered!\r\nRoyal offers you a unique deal.For a modest royalty(got it; got it ? ) for our pentesting services we will not o\r\ncovering you from reputational, legal, financial, regulatory, and insurance risks, but will also provide you wit\r\nTo put it simply, your files will be decrypted, your data restored and kept confidential, and your systems will\r\nTry Royal today and enter the new era of data security!\r\nWe are looking to hearing from you soon!\r\nFigure 9 - Ransom Note README.TXT Created by the Ransomware Binary\r\nThe link within the ransom note directs the victim to a simple chat portal for the victim to negotiate the ransom\r\n(Figure 10).\r\nMITRE ATT\u0026CK: T1486: Data Encrypted for Impact\r\nMITRE ATT\u0026CK: T1490: Inhibit System Recovery\r\nhttps://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive\r\nPage 7 of 12\n\nFigure 10 - Royal Negotiation Site on Tor (Source: Bleeping Computer)\r\nIf a ransom is not agreed, the actors claim they will post the victim’s exfiltrated information on their data leak site.\r\nWhile no data leak site for Royal has been identified as of this  writing, similar threat actor groups often post a\r\nsummary of the victim, along with a link to view/download the collected victim data.\r\nMitre ATT\u0026CK Mapping\r\nTactic  Technique Procedure\r\nTA0042 T1588 Obtain capabilities\r\nTA0001 T1078 Valid accounts\r\nTA0002 T1059 Command and scripting interpreter\r\nhttps://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive\r\nPage 8 of 12\n\nT1064 Scripting\r\nTA0003 T1078 Valid accounts\r\nTA0004 T1078 Valid accounts\r\nTA0005 T1562 Impair defenses: disable or modify tools\r\nTA0007\r\nT1049 System network connections discovery\r\nT1087 Account discovery\r\nT1135 Network share discovery\r\nTA0008 T1021 Remote services\r\nTA0009 T1005 Data from local system\r\nTA0011           \r\nT1219 Remote access software\r\nT1573.001 Encrypted channel: symmetric cryptography\r\nT1001 Data obfuscation\r\nTA0010\r\nT1567.002 Exfiltration over web service: exfiltration to cloud storage\r\nT1020 Automate exfiltration\r\nTA0040 T1490 Inhibit system recovery\r\nhttps://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive\r\nPage 9 of 12\n\nT1486 Data encrypted for impact\r\nRecommendations\r\nKroll has identified recommendations relating to this alert:\r\nRecommendation Observation\r\nMonitor PowerShell execution\r\nEnsure PowerShell is logged and create\r\ndetections for encoded script execution.\r\nThe threat actor utilized Cobalt Strike. Monitoring PowerShell\r\nexecution can identify malicious activity associated with Cobalt\r\nStrike.\r\nAudit user, administrator and service\r\naccounts\r\nEnsure accounts have the correct access\r\nand privileges. Implement the principle of\r\nleast privilege.\r\nThe threat actor is often able to install tools on user endpoints.\r\nLimiting the privileges of users can prevent a threat actor from\r\ninstalling malicious software.\r\nImplement multifactor authentication\r\nMultifactor authentication can restrict\r\naccess to sensitive areas and can prevent\r\nlateral movement.\r\nEnabling multifactor authentication can prevent a threat actor\r\nfrom moving laterally and accessing sensitive data.\r\nReview backup strategies\r\nEnsure multiple backups are taken and at\r\nleast one backup is isolated from the\r\nnetwork.\r\nAs a ransomware actor’s main aim is to disrupt business,\r\nensuring a viable backup and recovery strategy is in place can\r\nallow a business to recover quickly.\r\nReview remote access tools\r\nWhitelist and limit the use of multiple\r\nremote access tools within the network.\r\nThreat actors leverage legitimate remote access tools to\r\nmaintain persistence. Ensure remote access is monitored and\r\nthat only approved remote access tools exist in the environment.\r\nhttps://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive\r\nPage 10 of 12\n\nIndicators of Compromise\r\nThe following files and hashes have been identified for the incident.\r\nFile Name MD5 Hash Value\r\nlocker.exe B93FA14627F73DE3274BA15503C916B0\r\nSharpeExfiltrate.exe 2F5D60C2475B723526FBDADEFF55C3C7\r\nMEGACmd.exe 9FB7D7A1F50541917972115B7D8265B4\r\nGmer.exe 60BF4AE8CC40B0E3E28613657ED2EED8\r\nPowerTool64.exe FB8535E2BD80CC8044C52A3ED82D390D\r\nAnydesk.exe 7CF4B655453D28F246C815A953F48936\r\nTeamViewer.exe 4F926252E22AFA85E5DA7F83158DB20F\r\nSupport.exe 5A24676210BD317520FE30D048C9A106\r\nThe following external IP addresses were observed during the incident:\r\nIP Address Comment\r\n23.106.215[.]16 Cobalt Strike C2\r\n64.44.102[.]176 Cobalt Strike C2\r\nhttps://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive\r\nPage 11 of 12\n\nSource: https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive\r\nhttps://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive"
	],
	"report_names": [
		"royal-ransomware-deep-dive"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434603,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/10fde5c290527d2a118f274116cdd29407ecdb22.pdf",
		"text": "https://archive.orkl.eu/10fde5c290527d2a118f274116cdd29407ecdb22.txt",
		"img": "https://archive.orkl.eu/10fde5c290527d2a118f274116cdd29407ecdb22.jpg"
	}
}