{
	"id": "9633089b-49e3-4043-a719-a1d23659bc61",
	"created_at": "2026-04-06T00:10:19.589685Z",
	"updated_at": "2026-04-10T03:26:42.114172Z",
	"deleted_at": null,
	"sha1_hash": "7430f384eb282a0cc002d8c89562b8d0c2e1ac49",
	"title": "Threat Assessment: Royal Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 893619,
	"plain_text": "Threat Assessment: Royal Ransomware\r\nBy Doel Santos, Daniel Bunce, Anthony Galiette\r\nPublished: 2023-05-09 · Archived: 2026-04-05 22:02:20 UTC\r\nExecutive Summary\r\nRoyal ransomware has been involved in high-profile attacks against critical infrastructure, especially healthcare,\r\nsince it was first observed in September 2022. Bucking the popular trend of hiring affiliates to promote their threat\r\nas a service, Royal ransomware operates as a private group made up of former members of Conti.\r\nThe Unit 42 team has observed this group compromising victims through a BATLOADER infection, which threat\r\nactors usually spread through search engine optimization (SEO) poisoning. This infection involves dropping a\r\nCobalt Strike Beacon as a precursor to the ransomware execution. Unit 42 incident responders have participated in\r\n15 cases involving Royal ransomware in the last 9 months.\r\nRoyal ransomware also expanded their arsenal by developing an ELF variant to impact Linux and ESXi\r\nenvironments. The ELF variant is quite similar to the Windows variant, and the sample does not contain any\r\nobfuscation. All strings, including the RSA public key and ransom note, are stored as plaintext.\r\nPalo Alto Networks customers receive protections against ransomware used by the Royal ransomware group from\r\nCortex XDR, as well as from the WildFire Cloud-Delivered Security Service for the Next-Generation Firewall.\r\nThe Unit 42 Incident Response team can also be engaged to help with a compromise or to provide a proactive\r\nassessment to lower your risk.\r\nRelated Unit 42 Topics Ransomware\r\nOverview\r\nThe Royal ransomware group was first observed in September 2022, compromising victims and using multi-extortion to pressure victims to pay their fee. Before their first appearance, this group had been linked to a\r\nprevious ransomware family named Zeon, starting in January of the same year.\r\nUnlike major ransomware groups like LockBit 3.0, which typically operate as a ransomware-as-a-service (RaaS)\r\nby hiring affiliates and promoting their RaaS model, we have not observed this particular group using a similar\r\napproach. It is suspected that this group is made up mainly of former members of the Conti ransomware group,\r\nwho operate covertly and behind closed doors. The ex-members that formed this group are known as Team One.\r\nBecause some of the people behind this threat were part of the development of Ryuk (discovered in 2018), which\r\nis the predecessor of Conti, they have many years of experience. This means they have a solid base for carrying\r\nout attacks and know what works when extorting victims. Perhaps due to this experience, the group has already\r\nhttps://unit42.paloaltonetworks.com/royal-ransomware/\r\nPage 1 of 14\n\nimpacted numerous organizations across the globe. We’ve observed them making demands up to $25 million\r\ndollars in BTC.\r\nRoyal also has frequently threatened certain critical infrastructure sectors, such as manufacturing and healthcare.\r\nIn a few months in 2022, the group impacted 14 manufacturing organizations, according to their leak site, and\r\nthen followed up by publicizing claims of attacking 26 additional manufacturing organizations in 2023. They have\r\nalso impacted eight healthcare organizations since their inception. The U.S. Department of Health and Human\r\nServices issued a warning about the threat Royal ransomware poses to the healthcare sector in January 2023.\r\nRoyal also has been one of the ransomware groups disrupting the education industry. We observed that they\r\nimpacted 14 organizations in the education sector, including school districts and universities. In fact, in just the\r\nfirst few days of May 2023, the group had already impacted four educational institutions.\r\nThis group has leveraged their leak site to publicly extort victims into paying the ransom, as shown in Figure 1.\r\nThe Royal group will harass victims until the payment is secured, using techniques such as emailing victims and\r\nmass-printing ransom notes.\r\nFigure 1. Royal ransomware leak site.\r\nThe Royal ransomware threat actor has an active Twitter account that was created in October 2022, called\r\n“LockerRoyal.” Most of the account content is announcements of compromised victims, tagging the victim’s\r\nTwitter account. In some cases, the threat actor will also reply to those same announcements.\r\nhttps://unit42.paloaltonetworks.com/royal-ransomware/\r\nPage 2 of 14\n\nIt’s not unusual to see threat actor groups create social media accounts to keep spreading their brand and\r\nannouncements. It’s clear that this group is trying to get attention from multiple organizations through any means\r\nnecessary.\r\nFigure 2. Royal Twitter account replying to an alert.\r\nThis particular ransomware group has been observed using multiple initial access vectors to secure access into\r\nvulnerable systems, such as the following:\r\nCallback phishing\r\nSEO poisoning\r\nExposed remote desktop protocol (RDP) accounts\r\nCompromised credentials\r\nOnce access is secured, this group uses multiple tools to support the intrusion operation, like the TCP/UDP tunnel\r\nChisel and the Active Directory query tool AdFind, among others.\r\nVictimology\r\nRoyal ransomware has impacted a variety of industries, including small businesses and large corporations alike.\r\nBased on information from their leak site and public reporting outlets, we can see that Royal ransomware has\r\nimpacted industries such as manufacturing, as well as wholesale and retail. Since 2022, Royal ransomware has\r\nclaimed responsibility for impacting 157 organizations on their leak site.\r\nIt's important to note that the impact of Royal ransomware extends beyond just financial losses. There have been\r\ninstances where the group has targeted critical infrastructure, such as healthcare organizations and agricultural\r\nfacilities. Since 2022, we have observed this group impacting seven local government entities – like the recent\r\nattack on the city of Dallas – in the United States and Europe.\r\nUnit 42 incident responders have participated in 15 cases involving Royal ransomware.\r\nThis demonstrates the potential for broader and more severe consequences, as shown in Figure 3.\r\nhttps://unit42.paloaltonetworks.com/royal-ransomware/\r\nPage 3 of 14\n\nFigure 3. Industries distribution per Royal leak site post.\r\nMost of the organizations impacted by this ransomware are located in the United States, comprising 64% of the\r\nimpacted organizations. Canada is the country second most impacted by this ransomware family, making the total\r\nfor North America 73.2%. The next most impacted countries include Germany, the United Kingdom, Brazil, Italy\r\nand others (shown in Figure 4).\r\nFigure 4. Countries impacted distribution per Royal leak site post.\r\nInfection Chain\r\nThere are several different infection chains that lead to Royal ransomware. In some cases, we have observed\r\ninstances where SEO poisoning and malvertising were used as initial access vectors. The goal of these two\r\nmethods is to trick a victim into downloading and executing a malicious file that masquerades as legitimate\r\nsoftware.\r\nhttps://unit42.paloaltonetworks.com/royal-ransomware/\r\nPage 4 of 14\n\nThis kicks off a complex infection chain with multiple stages, including PowerShell scripts and MSI files. In\r\ncertain cases, this leads to infection with BATLOADER.\r\nBATLOADER will then attempt to download further payloads to the infected machine, such as VidarStealer,\r\nUrsnif/ISFB and Redline Stealer, as well as legitimate tooling such as the system management tool NSudo and the\r\nSyncro remote monitoring and management (RMM) tool. Most importantly, BATLOADER has been seen loading\r\nCobalt Strike, which is often a precursor to ransomware distribution.\r\nIn one particular case where we saw Royal ransomware deployed, a snippet of C# code was identified that was\r\noriginally pulled down from Pastebin. This code, when compiled, would decrypt and load shellcode. The\r\nshellcode appeared to be a simple Meterpreter stager that would reach out to an IP address and execute the final\r\nMeterpreter beacon. The IP address also hosted a Cobalt Strike server, from which we were able to retrieve the\r\nCobalt Strike configuration.\r\nThe configuration contained fairly standard values, although the watermark appeared to be somewhat unique and\r\nnot randomly generated: 12345. Querying for live Cobalt Strike servers on Shodan with the same watermark\r\nreturned just over 50 results.\r\nWhile this unique watermark could indicate a cracked version of Cobalt Strike, examining the domain names for\r\nthese C2s revealed commonalities across the board. Almost every domain was named to resemble a security\r\ncompany.\r\nFor example, the following servers hosted Cobalt Strike beacons with the watermark 12345:\r\naltocloudzone[.]live\r\ncloudmane[.]online\r\npalaltocloud[.]online\r\nkasperslkyupdate[.]com\r\npalalto[.]live\r\naltocdn[.]online\r\npaloaltokey[.]store\r\nkasperskyupdates[.]com\r\nRapidfinact[.]com\r\nNote that the names above are the work of a threat actor attempting to impersonate legitimate organizations and do\r\nnot represent actual affiliations with that organization. The threat actor’s impersonation does not imply a\r\nvulnerability in the legitimate organizations’ products or services.\r\nDefense Evasion\r\nUnit 42 researchers observed Royal ransomware operators using PowerTool. This is a piece of software that has\r\naccess to the kernel and is ideal for removing endpoint security software. They also executed batch scripts to\r\ndisable security-related services, and deleted shadow file copies and logs after successful exfiltration.\r\nLateral Movement\r\nhttps://unit42.paloaltonetworks.com/royal-ransomware/\r\nPage 5 of 14\n\nUnit 42 researchers observed Royal threat actors using the network discovery software NetScan to identify and\r\nmap out various connected computer resources such as other user targets and shares. In addition to using NetScan,\r\nwe also observed them using PsExec for conducting lateral movement within the infected environments.\r\nCommand and Control (C2)\r\nUnit 42 researchers observed threat actors using various popular legitimate remote management software also\r\nused heavily by other ransomware operations to maintain access to the infected environment. The use of Cobalt\r\nStrike and related beacons were also observed for C2. An interesting observation of a tool used for maintaining\r\naccess was the use of Chisel, a TCP/UDP tunneling tool written in Golang.\r\nExfiltration\r\nUnit 42 researchers observed Royal threat actors using Rclone, a legitimate tool to manage files between two\r\nsystems, for exfiltrating stolen data before the deployment of ransomware. We found Rclone deployed in folders\r\nsuch as ProgramData, or renamed and masquerading in other folders. One popular filename used was svchost.exe.\r\nRansomware Functionality\r\nWindows Variant\r\nIt is important to note that, while many ransomware families employ various forms of anti-analysis, as of late\r\nApril, Royal ransomware does not employ anti-analysis tricks or string encryption.\r\nThere are five possible arguments for the Windows variant of Royal ransomware:\r\nArgument Purpose\r\n-path Path to be used for targeting encryption\r\n-id 32-character ID for running sample\r\n-ep Encryption percentage - indicates the percentage of each file to be encrypted\r\n-localonly Encrypt only the local system\r\n-networkonly Encrypt file shares connected to system\r\nIn Figure 5 below, the decompiled view contains the various command-line arguments to be evaluated at the start\r\nof the binary being executed.\r\nhttps://unit42.paloaltonetworks.com/royal-ransomware/\r\nPage 6 of 14\n\nFigure 5. Command-line arguments Royal accepts as inputs.\r\nUpon evaluating the command-line arguments provided, the ransomware then will create a cmd.exe process with\r\nthe parameter to execute vssadmin delete shadows /all /quiet. The command is part of the standard ransomware\r\nplaybook for impacting restoration services.\r\nFor the encryption process, Royal ransomware has a hard-coded RSA public key within the binary and uses AES\r\nfor encryption. The AES encryption is set up using a 32-byte key and a 16-byte initialization vector (IV). The\r\nencrypted files are encrypted with the extension .royal_w.\r\nDuring file enumeration and encryption, the sample avoids files with the following extensions and filenames (also\r\nshown in Figure 6):\r\nExtensions:\r\n.exe\r\n.dll\r\n.bat\r\nhttps://unit42.paloaltonetworks.com/royal-ransomware/\r\nPage 7 of 14\n\n.lnk\r\n.royal_w\r\n.royal_u\r\nFiles and folders:\r\nREADME.TXT\r\nWindows\r\nRoyal\r\nRecycle.bin\r\nGoogle\r\nPerflogs\r\nMozilla\r\nTor browser\r\nBoot\r\n$Windows.~ws\r\n$Windows.~bt\r\nWindows.old\r\nDuring the encryption process, if a file is encountered which is actively being used by the computer system, the\r\nransomware can use the RestartManager API functionality to close a file. As shown in Figure 6, the strings related\r\nto skipped extensions and folder paths are shown in the .rdata section of the binary.\r\nhttps://unit42.paloaltonetworks.com/royal-ransomware/\r\nPage 8 of 14\n\nFigure 6. Extensions and folders excluded.\r\nThe ransom note dropped as a README.txt is shown in Figure 7 below.\r\nFigure 7. Royal ransomware ransom note.\r\nRoyal also contains functionality to encrypt network shares connected to the victim machine. The decompiled\r\nview of the code path responsible for enumerating shares is shown in Figure 8 below.\r\nhttps://unit42.paloaltonetworks.com/royal-ransomware/\r\nPage 9 of 14\n\nFigure 8. Enumerates network shares and excludes ADMIN and IPC shares.\r\nFor supporting cryptographic operations used in the ransomware, the code is statically compiled with OpenSSL.\r\nThe cryptographic references can be seen in Figure 9 below and can be cross-referenced by examining the library\r\nhttps://unit42.paloaltonetworks.com/royal-ransomware/\r\nPage 10 of 14\n\non GitHub.\r\nFigure 9. OpenSSL library statically compiled with ransomware binary.\r\nLinux Variant\r\nDuring development of this post, a Linux variant of Royal ransomware was identified by @BushidoToken on Feb.\r\n1, 2023. This is the first known version not targeting Windows systems. However, considering many ransomware\r\nfamilies have an ESXi/Linux focused variant, this isn’t unusual. It only makes sense that this group would expand\r\ntheir arsenal to impact other environments.\r\nThere are minimal differences between the Linux and Windows variants in terms of encryption. AES-256 is used\r\nfor symmetric encryption, while RSA-4096 is used for asymmetric encryption within the sample.\r\nhttps://unit42.paloaltonetworks.com/royal-ransomware/\r\nPage 11 of 14\n\nAdditionally, there is a lack of obfuscation within the Linux sample. All strings are stored as plaintext, including\r\nthe RSA public key and the ransom note.\r\nThere are five possible arguments for the Linux variant of Royal ransomware:\r\nArgument Purpose\r\n-id 32-character ID for running sample\r\n-ep Encryption percentage – indicates the percentage of each file that will be encrypted\r\n-stopv Indicates to the sample whether to stop VM-linked processes or not\r\n-fork Forks the current process for encryption\r\n-logs Informs the sample to log information to a file\r\nDuring file enumeration and encryption, the sample avoids files with the following extensions and filenames:\r\nExtensions:\r\n.v00\r\n.b00\r\n.sf\r\n.royal_u\r\n.royal_w\r\n.royal_log_\r\n.readme\r\nThe variant is also compiled with the OpenSSL library, resulting in a large number of unreferenced crypto-linked\r\nstrings.\r\nFigure 10. OpenSSL strings seen within Linux ransomware binary.\r\nhttps://unit42.paloaltonetworks.com/royal-ransomware/\r\nPage 12 of 14\n\nConclusion\r\nRoyal ransomware has been more active this year, using a wide variety of tools and more aggressively targeting\r\ncritical infrastructure organizations. Organizations should implement security best practices and be wary of the\r\nongoing threat of ransomware. This is true not only for Royal ransomware but for other opportunistic criminal\r\ngroups as well.\r\nThe Unit 42 team recommends that defenders have advanced logging capabilities deployed and configured\r\nproperly. This includes tools such as Sysmon, Windows command-line logging and PowerShell logging.\r\nIdeally, you should be forwarding these logs to a security information and event management tool (SIEM) to\r\ncreate queries and detection opportunities. Keep computer systems patched and up to date wherever possible to\r\nreduce the attack surface related to exploitation techniques.\r\nDeploy an XDR/EDR solution to perform in-memory inspection and detect process injection techniques. Perform\r\nthreat hunting looking for signs of unusual behavior related to security product defense evasion, service accounts\r\nfor lateral movement and domain administrator-related user behavior.\r\nProtections and Mitigations\r\nPalo Alto Networks customers receive protections from the threats discussed above through the following\r\nproducts.\r\nWildFire: All known samples are identified as malware.\r\nCortex XDR with:\r\nIndicators for Royal\r\nAnti-Ransomware module to detect Royal encryption behaviors on Windows\r\nLocal Analysis detection for Royal binaries on Windows\r\nBehavioral Threat Protection (BTP) rule helps prevent ransomware activity on Linux\r\nNext-Generation Firewalls (NGFW): DNS signatures detect the known command and control (C2)\r\ndomains, which are also categorized as malware in URL Filtering.\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our\r\nfellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to\r\ntheir customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nhttps://unit42.paloaltonetworks.com/royal-ransomware/\r\nPage 13 of 14\n\nHashes\r\n595c869f8ec7eaf71fef44bad331d81bb934c886cdff99e1f013eec7acdaf8c9 Royal Windows Variant\r\nb57e5f0c857e807a03770feb4d3aa254d2c4c8c8d9e08687796be30e2093286c Royal Linux Variant\r\nb64acb7dcc968b9a3a4909e3fddc2e116408c50079bba7678e85fee82995b0f4 Royal Linux Variant\r\nb64acb7dcc968b9a3a4909e3fddc2e116408c50079bba7678e85fee82995b0f4 Royal Linux Variant\r\n12a6d61b309171b41347d6795002247c8e2137522a756d35bb8ece5a82fc3774 Royal Linux Variant\r\nInfrastructure\r\nroyal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid[.]onion\r\nAdditional Resources\r\nRoyal Ransom, Malpedia\r\nNew Royal Ransomware emerges in multi-million dollar attacks, Bleeping Computer\r\nConti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks, Trend\r\nMicro\r\nDEV-0569 finds new ways to deliver Royal ransomware, various payloads, Microsoft Threat Intelligence\r\nBatloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in Q4 2022 Attacks, Trend\r\nMicro\r\nDark Web Profile: Royal Ransomware,SOCRadar\r\nNew Linux #Royal Ransomware, Twitter\r\nSource: https://unit42.paloaltonetworks.com/royal-ransomware/\r\nhttps://unit42.paloaltonetworks.com/royal-ransomware/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/royal-ransomware/"
	],
	"report_names": [
		"royal-ransomware"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "cf4d333d-ef79-40aa-b233-886e6de875a3",
			"created_at": "2023-12-08T02:00:05.754609Z",
			"updated_at": "2026-04-10T02:00:03.494821Z",
			"deleted_at": null,
			"main_name": "DEV-0569",
			"aliases": [
				"Storm-0569"
			],
			"source_name": "MISPGALAXY:DEV-0569",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434219,
	"ts_updated_at": 1775791602,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7430f384eb282a0cc002d8c89562b8d0c2e1ac49.pdf",
		"text": "https://archive.orkl.eu/7430f384eb282a0cc002d8c89562b8d0c2e1ac49.txt",
		"img": "https://archive.orkl.eu/7430f384eb282a0cc002d8c89562b8d0c2e1ac49.jpg"
	}
}