{
	"id": "1c069b75-9f73-4c54-81ca-eb459689f4f6",
	"created_at": "2026-04-06T00:07:30.572565Z",
	"updated_at": "2026-04-10T13:12:02.53664Z",
	"deleted_at": null,
	"sha1_hash": "3b86714ca8093281191dedd4697b930f22dbcf61",
	"title": "New Royal Ransomware emerges in multi-million dollar attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2550955,
	"plain_text": "New Royal Ransomware emerges in multi-million dollar attacks\r\nBy Lawrence Abrams\r\nPublished: 2022-09-29 · Archived: 2026-04-05 14:26:31 UTC\r\nA ransomware operation named Royal is quickly ramping up, targeting corporations with ransom demands ranging from\r\n$250,000 to over $2 million. \r\nRoyal is an operation that launched in January 2022 and consists of a group of vetted and experienced ransomware actors\r\nfrom previous operations.\r\nUnlike most active ransomware operations, Royal does not operate as a Ransomware-as-a-Service but is instead a private\r\ngroup without affiliates.\r\nhttps://www.bleepingcomputer.com/news/security/new-royal-ransomware-emerges-in-multi-million-dollar-attacks/\r\nPage 1 of 7\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-royal-ransomware-emerges-in-multi-million-dollar-attacks/\r\nPage 2 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\nVitali Kremez, CEO of AdvIntel, told BleepingComputer that they utilized other ransomware operation's encryptors when\r\nfirst starting, such as BlackCat.\r\nSoon after, the cybercrime enterprise began using its own encryptors, the first being Zeon [Sample], which generated ransom\r\nnotes very similar to Conti's.\r\nZeon ransom note\r\nSource: BleepingComputer\r\nHowever, since the middle of September 2022, the ransomware gang has rebranded again to 'Royal' and is using that name\r\nin ransom notes generated by a new encryptor.\r\nHow Royal breaches their victims\r\nThe Royal operation has been operating in the shadows, not using a data leak site and keeping news of their attacks quiet.\r\nHowever, as the gang became more active this month, victims have appeared at BleepingComputer, and a sample was\r\nuploaded to VirusTotal.\r\nIn conversations with Kremez and a victim, BleepingComputer has created a better picture of how the gang operates.\r\nAccording to Kremez, the Royal group utilizes targeted callback phishing attacks where they impersonate food delivery and\r\nsoftware providers in emails pretending to be subscription renewals. \r\nThese phishing emails contain phone numbers that the victim can contact to cancel the alleged subscription, but, in reality, it\r\nis a number to a service hired by the threat actors.\r\nhttps://www.bleepingcomputer.com/news/security/new-royal-ransomware-emerges-in-multi-million-dollar-attacks/\r\nPage 3 of 7\n\nExample of a Royal callback phishing email\r\nSource: AdvIntel\r\nWhen a victim calls the number, the threat actors use social engineering to convince the victim to install remote access\r\nsoftware, which is used to gain initial access to the corporate network.\r\nA Royal victim who spoke to BleepingComputer shared that the threat actors breached their network using a vulnerability in\r\ntheir custom web application, showing the threat actors are also being creative in how they gain access to a network.\r\nOnce they gain access to a network, they perform the same activities commonly used by other human-operated ransomware\r\noperations. They deploy Cobalt Strike for persistence, harvest credentials, spread laterally through the Windows domain,\r\nsteal data, and ultimately encrypt devices.\r\nWhen encrypting files, the Royal encryptor will append the .royal extension to the file names of encrypted files. For\r\nexample, test.jpg would be encrypted and renamed to test.jpg.royal, as shown below.\r\nhttps://www.bleepingcomputer.com/news/security/new-royal-ransomware-emerges-in-multi-million-dollar-attacks/\r\nPage 4 of 7\n\nFiles encrypted by the Royal Ransomware\r\nSource: BleepingComputer\r\nA Royal victim also told BleepingComputer that they target virtual machines by directly encrypting their virtual disk files\r\n(VMDK). The threat actors then print out the ransom notes on network printers or create them on encrypted Windows\r\ndevices.\r\nThese ransom notes are named README.TXT and contain a link to the victim's private Tor negotiation page\r\nat royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onion. XXX in the ransom note below has been redacted\r\nbut is unique to the victim.\r\nRoyal ransom note\r\nSource: BleepingComputer\r\nThe Tor negotiation site is nothing special, simply containing a chat screen where a victim can communicate with the Royal\r\nransomware operators.\r\nAs part of these negotiations, the ransomware gang will provide the ransom demand, with ransom demands between\r\n$250,000 and over $2 million.\r\nhttps://www.bleepingcomputer.com/news/security/new-royal-ransomware-emerges-in-multi-million-dollar-attacks/\r\nPage 5 of 7\n\nThe ransomware gang will also commonly decrypt a few files for the victims to prove their decryptor works and share file\r\nlists of the stolen data.\r\nRoyal Ransomware Tor negotiation site\r\nSource: BleepingComputer\r\nBleepingComputer is unaware of successful payments and has not seen a decryptor for this ransomware family.\r\nWhile the group claims to steal data for double-extortion attacks, it does not appear that a data leak site has been launched\r\nunder the Royal brand as of yet.\r\nHowever, it is strongly advised that network, windows, and security admins keep an eye out for this group, as they are\r\nquickly ramping up operations and will likely become one of the more significant enterprise-targeting ransomware\r\noperations.\r\nUpdate 8/29/22: Article updated with some corrections, including launch date and callback phishing example.\r\nhttps://www.bleepingcomputer.com/news/security/new-royal-ransomware-emerges-in-multi-million-dollar-attacks/\r\nPage 6 of 7\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-royal-ransomware-emerges-in-multi-million-dollar-attacks/\r\nhttps://www.bleepingcomputer.com/news/security/new-royal-ransomware-emerges-in-multi-million-dollar-attacks/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-royal-ransomware-emerges-in-multi-million-dollar-attacks/"
	],
	"report_names": [
		"new-royal-ransomware-emerges-in-multi-million-dollar-attacks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434050,
	"ts_updated_at": 1775826722,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3b86714ca8093281191dedd4697b930f22dbcf61.pdf",
		"text": "https://archive.orkl.eu/3b86714ca8093281191dedd4697b930f22dbcf61.txt",
		"img": "https://archive.orkl.eu/3b86714ca8093281191dedd4697b930f22dbcf61.jpg"
	}
}