{
	"id": "086b08ce-61b5-4370-b04e-d889ca0822e0",
	"created_at": "2026-04-06T00:15:33.569033Z",
	"updated_at": "2026-04-10T03:21:03.900787Z",
	"deleted_at": null,
	"sha1_hash": "1534196e9d330af114eaf5f67aed01912e22fa15",
	"title": "Ransomware Roundup - Royal | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56952,
	"plain_text": "Ransomware Roundup - Royal | FortiGuard Labs\r\nBy Shunichi Imano and James Slaughter\r\nPublished: 2022-10-13 · Archived: 2026-04-06 00:04:20 UTC\r\nOn a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining\r\ntraction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers\r\nwith brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those\r\nvariants.\r\nThis latest edition of the Ransomware Roundup covers Royal ransomware.\r\nAffected platforms: Microsoft Windows\r\nImpacted parties: Microsoft Windows Users\r\nImpact: Encrypts files on the compromised machine and demands ransom for file decryption\r\nSeverity level: High\r\nRoyal Ransomware\r\nRoyal is a reasonably new operation, having been around since at least the start of 2022. The object of the group\r\nand its malware is typical: gain access to a victim’s environment, encrypt their data, and extort a ransom to return\r\naccess to any files touched.\r\nThere does not appear to be a single stated infection vector. Instead, infection appears to depend on the individual\r\nvictim.\r\nThe group hints in its ransom note that it means to employ the “double extortion” tactic of threatening to release\r\ndata captured from the victim in addition to putting a victim’s data out of reach via encryption unless a ransom is\r\npaid. This however has yet to be definitively proven.\r\nIn what appears to be a bit of tongue-in-cheek, the group suggests that its actions are a “pentesting service” and\r\nthat it will provide the victim with a “security review.”\r\nThe ransomware itself is a 64-bit Windows executable written in C++.\r\nIt is launched via command line, suggesting that it is designed to be run via an operator after access to an\r\nenvironment is provided through another method.\r\nThere are two arguments that need to be passed to kick the encryption process off. “-path” determines what is to\r\nbe encrypted, whether a single directory or an entire drive. “-id” appears to be how the group identifies its victims.\r\nThis can be any 32-character string, as shown in Figure 2.\r\nRegardless of whether either of these arguments are provided, the malware goes ahead and deletes the volume\r\nshadow copy off the system.\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-royal-ransomware\r\nPage 1 of 3\n\nInterestingly, it appears that there is a third argument flag in the code that was either abandoned or provides\r\nfunctionality to a feature not yet implemented, “-ep”.\r\nRoyal appears to use the OpenSSL library to encrypt files to the AES standard. Encrypted files are renamed and\r\ngiven a “.royal” file extension.\r\nInterestingly, it appears that a file may not be entirely encrypted in all circumstances. For example, a PDF used in\r\na FortiGuard Labs test system showed some recognizable items after encryption.\r\nAs shown in the ransom note in Figure 1, victims will be provided an ID and a unique Tor page to visit to contact\r\nthe group about payment. \r\nA Tor landing page exists. However, it simply suggests viewing the readme file generated by the encryption\r\nprocess. It also offers a non-interactive contact form to message the group if someone decided to do so.\r\nFortinet Protection\r\nFortinet customers are already protected from these malware variants through FortiGuard’s, AntiVirus, FortiMail,\r\nFortiClient, and FortiEDR services, as follows:\r\nFortiGuard Labs detects the known Royal ransomware variants with the following AV signature:\r\nW32/PossibleThreat\r\nIOCs\r\n2598e8adb87976abe48f0eba4bbb9a7cb69439e0c133b21aee3845dfccf3fb8f\r\n9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926\r\nFortiGuard Labs Guidance\r\nDue to the ease of disruption, damage to daily operations, potential impact to an organization's reputation, and the\r\nunwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS\r\nsignatures up to date.\r\nSince the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet\r\nsolutions designed to train users to understand and detect phishing threats:\r\nThe FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness\r\nand vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted\r\nphishing attacks.\r\nOur FREE NSE training: NSE 1 – Information Security Awareness includes a module on internet threats designed\r\nto help end users learn how to identify and protect themselves from various types of phishing attacks and can be\r\neasily added to internal training programs.\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-royal-ransomware\r\nPage 2 of 3\n\nTo effectively deal with the evolving and rapidly expanding risk of ransomware, organizations will need to make\r\nfoundational changes to the frequency, location, and security of their data backups. When coupled with digital\r\nsupply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can\r\ncome from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced\r\nendpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack;\r\nand Zero Trust Access and network segmentation strategies that restrict access to applications and resources based\r\non policy and context, should all be investigated to minimize risk and to reduce the impact of a successful\r\nransomware attack.\r\nAs part of the industry's leading fully integrated Security Fabric, delivering native synergy and automation across\r\nyour security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.\r\nBest Practices include Not Paying a Ransom\r\nOrganizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom\r\npartly because payment does not guarantee that files will be recovered. According to a U.S. Department of\r\nTreasury's Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to\r\ntarget additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit\r\nactivities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a\r\nRansomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes\r\nComplaint Center (IC3).\r\nHow Fortinet Can Help\r\nFortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is\r\ndetected. And our Incident Readiness Subscription Service provides tools and guidance to help you better prepare\r\nfor a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop\r\nexercises).\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nAI-powered security services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/ransomware-roundup-royal-ransomware\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-royal-ransomware\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/ransomware-roundup-royal-ransomware"
	],
	"report_names": [
		"ransomware-roundup-royal-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434533,
	"ts_updated_at": 1775791263,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1534196e9d330af114eaf5f67aed01912e22fa15.pdf",
		"text": "https://archive.orkl.eu/1534196e9d330af114eaf5f67aed01912e22fa15.txt",
		"img": "https://archive.orkl.eu/1534196e9d330af114eaf5f67aed01912e22fa15.jpg"
	}
}