{
	"id": "547bd77d-089f-465b-a8f4-a35d3ae7caf3",
	"created_at": "2026-04-06T00:21:43.960412Z",
	"updated_at": "2026-04-10T13:12:47.609018Z",
	"deleted_at": null,
	"sha1_hash": "229ba0fd38e9cd8695b8b2b262f555ff32e5fb02",
	"title": "Royal Rumble: Analysis of Royal Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 809235,
	"plain_text": "Royal Rumble: Analysis of Royal Ransomware\r\nBy Cybereason Global SOC \u0026 Cybereason Security Research Teams\r\nArchived: 2026-04-05 16:46:50 UTC\r\nThe Royal ransomware group emerged in early 2022 and has gained momentum since the middle of the year. Its\r\nransomware, which the group deploys through different TTPs, has impacted multiple organizations across the\r\nglobe. The group itself is suspected of consisting of former members of other ransomware groups, based on\r\nsimilarities researchers have observed between Royal ransomware and other ransomware operators.\r\nKey Findings\r\nUnique approach to evade anti-ransomware defenses: Royal ransomware expands the concept of partial\r\nencryption, which means it has the ability to encrypt a pre-determined portion of the file content and base\r\nits partial encryption on a flexible percentage encryption, which makes detection more challenging for anti-ransomware solutions.\r\nMulti-threaded ransomware: Royal ransomware employs multiple threads in order to accelerate the\r\nencryption process.\r\nGlobal ransomware operation: Royal ransomware operates around the world, and reportedly on its own.\r\nThe group doesn’t appear to use ransomware-as-a-service or to target a specific sector or country.\r\nDifferent methods of deployment: Royal ransomware initially starts and deploys in different ways, as\r\ndescribed in this report.\r\nINTRODUCTION\r\nThe Royal ransomware group was first discovered in early 2022. At the time, it utilized third-party ransomware,\r\nsuch as BlackCat and custom Zeon ransomware. Since September 2022, the group has started to use its own\r\nransomware. In November 2022, Royal ransomware was reported to be the most prolific ransomware in the e-crime landscape, overtaking Lockbit for the first time in more than a year.\r\nRoyal ransomware operations start in different ways. One method is through phishing campaigns and uses one of\r\nthe common e-crime threat loaders, reportedly BATLOADER and Qbot. The threat loader then downloads a\r\nCobalt Strike payload to continue the malicious operation within the infected environment. This tactic is\r\ncommonly used by other ransomware operations, including Qbot and BlackBasta.\r\nSince mid-September, the ransomware group has gained momentum and added dozens of victims to its website.\r\nThe group does not seem to focus on a specific sector, and its victims vary from industrial companies to insurance\r\ncompanies, and more. Although the majority of the group’s victims are based in the U.S., one of its higher profile\r\nvictims was the Silverstone Circuit, a motor racing circuit in England.\r\nhttps://www.cybereason.com/blog/royal-ransomware-analysis\r\nPage 1 of 19\n\nScreenshot from Royal Ransomware website showing Silverstone Circuit as a victim\r\nMultiple reports have noted resemblances between the Royal Ransomware group and Conti, including similarities\r\nbetween the ransom notes each group uses (particularly in Royal’s early stages) and the use of callback phishing\r\nattacks. In our research, we have identified additional similarities, such as resemblances in the encryption process\r\ndecision factors. However, these similarities are not yet clear enough to confirm a direct connection between the\r\ntwo groups.\r\nTECHNICAL ANALYSIS\r\nSetting up the ransomware\r\nWhen executing, Royal ransomware can take three arguments in its command line:\r\n-path [optional]: The path to be encrypted\r\n-ep [optional]: The number that represents the percentage of the file that will be encrypted\r\n-id: A 32-digit array\r\nThe encryption process decision tree is dependent on the command line arguments. Therefore, factors such as\r\nencryption speed, file corruption, and potential detection are directly affected. If no “-id” parameter is given in the\r\ncommand line, the ransomware won’t run.\r\nhttps://www.cybereason.com/blog/royal-ransomware-analysis\r\nPage 2 of 19\n\nRoyal\r\nransomware command line arguments\r\nAfter validating the command line, Royal ransomware will attempt to delete shadow copy backups using the\r\nprocess Vssadmin.exe, with the command line “delete shadows /all /quiet”.\r\nRoyal ransomware deleting shadow\r\ncopies\r\nThe deletion of the shadow copy can also be seen via the Cybereason Defense Platform, which identifies the\r\nactivity as ransomware behavior in the image below.\r\nhttps://www.cybereason.com/blog/royal-ransomware-analysis\r\nPage 3 of 19\n\nCybereason Defense Platform identifies deletion of shadow copies\r\nOnce the backups have been deleted, Royal ransomware will set its exclusion paths (the files or directories spared\r\nfrom file encryption). The following file extensions will be excluded from being encrypted:\r\n.exe\r\n.dll\r\n.bat\r\n.lnk\r\nREADME.TXT\r\n.royal\r\nhttps://www.cybereason.com/blog/royal-ransomware-analysis\r\nPage 4 of 19\n\n\u003eRoyal ransomware setting the extension exclusion list\r\nNext, the ransomware will set the list of directories to be excluded from the encryption process. These directories\r\nare the ones that contain the following strings:\r\nWindows\r\nRoyal Perflogs\r\nTor browser\r\nBoot $recycle.bin\r\nWindows.old\r\n$window.~ws\r\n$windows.~bt\r\nMozilla\r\nGoogle\r\nhttps://www.cybereason.com/blog/royal-ransomware-analysis\r\nPage 5 of 19\n\nRoyal ransomware setting the\r\ndirectories exclusion list\r\nAfter setting the directories to be excluded from encryption, the ransomware then uses the API call Socket to\r\nestablish a TCP socket and WSAIoctl to invoke a handler for LPFN_CONNECTEX to use the ConnectEx\r\nfunction.\r\nRoyal Ransomware retrieving ConnectEx function\r\nAfter the initial part of setting the ransomware, Royal ransomware will create two threads: one for writing the\r\nransom note on non-excluded directories and another for file encryption, in addition to a network scanning option.\r\nNETWORK SCANNER\r\nAs mentioned, if no path is given in the command line arguments, Royal ransomware will start with the following\r\nsteps:\r\nFirst, the ransomware will scan the network interfaces, and if possible, retrieve the different IP addresses for the\r\ntarget machine(s), using the API call GetIpAddrTable. It will specifically search for IP addresses that start with\r\n“192. / 10. / 100. / 172.”\r\nhttps://www.cybereason.com/blog/royal-ransomware-analysis\r\nPage 6 of 19\n\nNetwork scanning\r\nSecond, Royal ransomware will establish a socket using the API WSASocketW and will associate it with a\r\ncompletion port using CreateIoCompletionPort. It then will use the API call htons to set the port to SMB, and\r\neventually try to connect to the instructed IP addresses via the LPFN_CONNECTEX callback function.\r\nUsing ConnectEx\r\nThird, the ransomware will enumerate the shared resources of the given IP addresses using the API call\r\nNetShareEnum. If a shared resource is one of “\\\\\u003cIP_Address\u003e\\ADMIN$” or “\\\\\u003cIP_Address\u003e\\IPC$”, the\r\nransomware will not encrypt it.\r\nhttps://www.cybereason.com/blog/royal-ransomware-analysis\r\nPage 7 of 19\n\nEnumerating network resources and avoiding ADMIN$ and IPC$ file shares\r\nENCRYPTION THREAD\r\nRoyal ransomware encryption is multi-threaded. To choose the number of running threads, the ransomware will\r\nuse the API call GetNativeSystemInfo to collect the number of processors in a machine. It will then multiply the\r\nresult by two and will create the appropriate number of threads accordingly.\r\nCreating encryption threads\r\nNext, the ransomware will set the RSA public key, which is embedded in the binary in plain text and will be used\r\nfor encrypting the AES key.\r\nhttps://www.cybereason.com/blog/royal-ransomware-analysis\r\nPage 8 of 19\n\n\u003e RSA public key\r\nBefore starting the encryption process, Royal ransomware uses the Windows Restart Manager to check if any of\r\nthe targeted files to be encrypted are being used or blocked by other applications or services. Notably, other\r\nransomware groups including Conti, Babuk, and Lockbit use Restart Manager for the same purpose. Royal then\r\nuses the API calls RmStartSession to start the session, RmRegisterResources to register the resources (i.e., the\r\ntargeted files), RmGetList to verify which applications or services are using the resource (excluding\r\n“explorer.exe”), and RmShutDown to kill those applications and services using the resource.\r\nhttps://www.cybereason.com/blog/royal-ransomware-analysis\r\nPage 9 of 19\n\nRoyal ransomware killing processes\r\nFinally, the encryption method will be determined by the size of the file that will be encrypted and in\r\nconsideration of the -ep parameter.\r\nIf the file size is smaller than 5.245 MB or the -ep argument equals 100:, the entire file will be encrypted.\r\nIf the file size is larger than 5.245 MB and the -ep argument is not equal to 100:, the file will be encrypted\r\napproximately by the percentage of the -ep argument.\r\nIf the file size is larger than 5.245 MB and no -ep argument is given, 50% of the file will be encrypted.\r\nhttps://www.cybereason.com/blog/royal-ransomware-analysis\r\nPage 10 of 19\n\nDecision making in encryption\r\nWhen a targeted file is being encrypted, the ransomware calculates the percentage to encrypt and divides the file\r\ncontent (encrypted and unencrypted) into equal segments. The fragmentation and possibly low percentage of\r\nencrypted file content that results lowers the chance of being detected by anti-ransomware solutions.\r\nIn the following test, we can see the comparison between the encryption of the same file (larger than 5.245 MB)\r\nwith different encryption percentages (-ep argument). The image on the left represents an -ep argument of 50 and\r\nthe image on the right represents an -ep argument of 10.\r\nPortexAnalyzer ep 50 vs. ep 10\r\nIn addition to the file being encrypted, Royal ransomware will save 532 bytes at the end of each file and writes the\r\nfollowing:\r\n512 bytes for randomly generated encryption key\r\n8 bytes for file size of the encrypted file\r\n8 bytes for the used ep parameter\r\nhttps://www.cybereason.com/blog/royal-ransomware-analysis\r\nPage 11 of 19\n\nWhile partial encryption is not new, most ransomware base their partial encryption only on the file size, then\r\nencrypt a set percentage of the file  the same way, each time. In contrast, Royal ransomware lets the operator\r\nchoose a specific percentage and lower the amount of encrypted data even if the file size is large. This ability to\r\nchange the amount of the file to be encrypted gives Royal ransomware an advantage when it comes to evading\r\ndetection by security products.\r\nIt’s worth highlighting that Conti ransomware also chooses the file size of 5.24 MB as its threshold for partial\r\nencryption. When a file was larger than 5.24MB, Conti would encrypt 50% of the file in a divided manner, much\r\nlike Royal ransomware. This similarity raises the question of whether the Royal ransomware authors have a\r\nconnection to the Conti group, but on its own, it is not strong enough to suggest a direct or definitive connection.\r\nAs for the encryption algorithm, Royal ransomware uses the OpenSSL library and the AES256 algorithm. Similar\r\nto other ransomware, it first reads the targeted file using ReadFile, then it encrypts the content and writes the\r\nencrypted data in the designated location using WriteFile and SetFilePointerEx. After finishing encryption, the file\r\nextension changes to “.royal” using the API call MoveFileExW.\r\nhttps://www.cybereason.com/blog/royal-ransomware-analysis\r\nPage 12 of 19\n\nRoyal ransomware appending .royal extension to the files it encrypts\r\nWRITING THE RANSOM NOTE\r\nDuring the entire Royal ransomware process, the ransomware creates an additional thread to retrieve the logical\r\ndrives using the API call GetLogicalDrives. It then writes the ransom note with the name “README.TXT” in\r\nevery directory that is not in its exclusion list.\r\nRoyal Ransomware creating the ransom note\r\nEventually, an encrypted directory will look like this\r\nhttps://www.cybereason.com/blog/royal-ransomware-analysis\r\nPage 13 of 19\n\nExample of a folder affected by royal ransomware\r\nOVERVIEW\r\nThe image below illustrates the entire encryption process decision tree:\r\nhttps://www.cybereason.com/blog/royal-ransomware-analysis\r\nPage 14 of 19\n\nRoyal ransomware encryption process decision tree\r\nCONCLUSION\r\nWhen it comes to partial encryption, Royal ransomware seems to give the ransomware operator a more flexible\r\nsolution for evading detection compared to most ransomware. We assume this flexibility and the evasion potential\r\nit enables was a design goal for the creators of Royal ransomware.\r\nAs with some reports mentioned above, some ideas that were implemented in Conti ransomware can be found in\r\nRoyal ransomware.\r\nCYBEREASON DEFENSE PLATFORM: DETECTION AND PREVENTION\r\nhttps://www.cybereason.com/blog/royal-ransomware-analysis\r\nPage 15 of 19\n\nThe Cybereason Defense Platform is able to detect and prevent Royal ransomware infections using multi-layer\r\nmalware protection that leverages threat intelligence, machine learning, anti-ransomware, next-gen antivirus\r\n(NGAV), and Variant Payload Prevention capabilities.\r\nCybereason Defense Platform showing the Royal ransomware triggered a “MalOp”\r\nRECOMMENDATIONS\r\nThe Cybereason GSOC \u0026 Security Research teams recommend the following actions in the Cybereason Defense\r\nPlatform:\r\nEnable Application Control to block the execution of malicious files.\r\nEnable Anti-Ransomware in your environment’s policies, set the Anti-Ransomware mode to Prevent, and\r\nenable Shadow Copy detection to ensure maximum protection against ransomware.\r\nEnable Variant Payload Prevention with prevent mode on Cybereason Behavioral execution prevention.\r\nTo hunt proactively, use the Investigation screen in the Cybereason Defense Platform and the queries in the\r\nHunting Queries section to search for machines that are potentially infected with Royal Ransomware.\r\nBased on the search results, take further remediation actions, such as isolating the infected machines\r\nand deleting the payload file.\r\nCybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to\r\neverywhere. Schedule a demo today to learn how your organization can benefit from an operation-centric\r\napproach to security.\r\nMITRE ATT\u0026CK MAPPING\r\nhttps://www.cybereason.com/blog/royal-ransomware-analysis\r\nPage 16 of 19\n\nTactic Technique or Sub-technique\r\nTA0005: Discovery T1083: File and Directory Discovery\r\nTA0007: Discovery T1016: System Network Configuration Discovery\r\nTA0007: Discovery T1046: Network Service Discovery\r\nTA0007: Discovery T1057: Process Discovery\r\nTA0007: Discovery T1082: System Information Discovery\r\nTA0007: Discovery T1135: Network Share Discovery\r\nTA0040: Impact T1486: Data Encrypted for Impact\r\nTA0040: Impact T1489: Service Stop\r\nTA0040: Impact T1490: Inhibit System Recovery\r\nTA0002: Execution T1059: Command and Scripting Interpreter\r\nIOCS\r\nIndicators\r\nIndicator\r\ntype\r\nDescription\r\n250bcbfa58da3e713b4ca12edef4dc06358e8986cad15928aa30c44fe4596488 SHA256\r\nRoyal\r\nRansomware\r\nBinary\r\nhttps://www.cybereason.com/blog/royal-ransomware-analysis\r\nPage 17 of 19\n\n9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926 SHA256\r\nRoyal\r\nRansomware\r\nBinary\r\nc24c59c8f4e7a581a5d45ee181151ec0a3f0b59af987eacf9b363577087c9746 SHA256\r\nRoyal\r\nRansomware\r\nBinary\r\n5fda381a9884f7be2d57b8a290f389578a9d2f63e2ecb98bd773248a7eb99fa2 SHA256\r\nRoyal\r\nRansomware\r\nBinary\r\n312f34ee8c7b2199a3e78b4a52bd87700cc8f3aa01aa641e5d899501cb720775 SHA256\r\nRoyal\r\nRansomware\r\nBinary\r\nf484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429 SHA256\r\nRoyal\r\nRansomware\r\nBinary\r\n7cbfea0bff4b373a175327d6cc395f6c176dab1cedf9075e7130508bec4d5393 SHA256\r\nRoyal\r\nRansomware\r\nBinary\r\n2598e8adb87976abe48f0eba4bbb9a7cb69439e0c133b21aee3845dfccf3fb8f SHA256\r\nRoyal\r\nRansomware\r\nBinary\r\nABOUT THE RESEARCHERS\r\nEli Salem, Security \u0026 Malware Researcher, Cybereason Global SOC\r\nhttps://www.cybereason.com/blog/royal-ransomware-analysis\r\nPage 18 of 19\n\nEli is a lead threat hunter and malware reverse engineer at Cybereason. He has worked in the\r\nprivate sector of the cybersecurity industry since 2017. In his free time, he publishes articles about malware\r\nresearch and threat hunting. \r\nAlon Laufer, Senior Security Analyst, Cybereason Global SOC \r\nAlon Laufer is a Senior Security Analyst with the Cybereason Global SOC team. Alon analyzes\r\ncritical incidents. He began his career in the Israeli Air Force where he was responsible for protecting critical\r\ninfrastructure. Alon is interested in malware analysis, digital forensics, and incident response.\r\n Mark Tsipershtein, Security Operations Analyst at Cybereason\r\nMark Tsipershtein, a cyber security analyst at the Cybereason Security Research Team, focuses on\r\nanalysis automation and infrastructure. Mark has more than 20 years of experience in SQA, automation, and\r\nsecurity testing.\r\nAbout the Author\r\nCybereason Global SOC \u0026 Cybereason Security Research Teams\r\nSource: https://www.cybereason.com/blog/royal-ransomware-analysis\r\nhttps://www.cybereason.com/blog/royal-ransomware-analysis\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cybereason.com/blog/royal-ransomware-analysis"
	],
	"report_names": [
		"royal-ransomware-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775434903,
	"ts_updated_at": 1775826767,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/229ba0fd38e9cd8695b8b2b262f555ff32e5fb02.pdf",
		"text": "https://archive.orkl.eu/229ba0fd38e9cd8695b8b2b262f555ff32e5fb02.txt",
		"img": "https://archive.orkl.eu/229ba0fd38e9cd8695b8b2b262f555ff32e5fb02.jpg"
	}
}