{
	"id": "c5aa3663-37bd-4c81-a001-a1d4efa894f2",
	"created_at": "2026-04-06T00:20:15.407522Z",
	"updated_at": "2026-04-10T03:22:08.548233Z",
	"deleted_at": null,
	"sha1_hash": "e4aca22e4da0998918024e345acce6c5e904279a",
	"title": "Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1180872,
	"plain_text": "Conti Team One Splinter Group Resurfaces as Royal Ransomware with\r\nCallback Phishing Attacks\r\nPublished: 2022-12-21 · Archived: 2026-04-05 19:53:40 UTC\r\nRansomware\r\nFrom September to December, we detected multiple attacks from the Royal ransomware group. In this blog entry, we\r\ndiscuss findings from our investigation of this ransomware and the tools that Royal ransomware actors used to carry out\r\ntheir attacks.\r\nBy: Ivan Nicole Chavez, Byron Gelera, Monte de Jesus, Don Ovid Ladores, Khristian Joseph Morales Dec 21, 2022 Read\r\ntime: 6 min (1695 words)\r\nRoyal ransomwareopen on a new tab may have been first observed by researchers around September 2022open on a new\r\ntab, but it has seasoned cybercriminals behind it: The threat actors running this ransomware — who used to be a part of\r\nConti Team One, according to a mind map shared by Vitali Kremezopen on a new tab — initially dubbed it Zeon\r\nransomware, until they rebranded it to Royal ransomware. From September to December this year, we have detected\r\nmultiple attacks from Royal ransomware, with the US and Brazil being the most targeted countries (Figure 1). This blog\r\nentry discusses in depth the findings from our investigation of samples of this new piece of ransomware, as well as the tools\r\nthat Royal ransomware actors used to carry out their attacks.\r\nFigure 1. Percentage of Royal ransomware attacks by country\r\nInfection Routine\r\nExternal reportsopen on a new tab mention that the Royal ransomware group uses callback phishing as a means of\r\ndelivering their ransomware to victims (Figure 2). These phishing attacks contain a number that leads to a service hired by\r\nthe threat actors. When contacted, they will use social engineering tactics to lure victims into installing remote access\r\nsoftware.\r\nhttps://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html\r\nPage 1 of 9\n\nFigure 2. Royal ransomware’s attack flow\r\nInstallation\r\nOur investigation found that the ransomware actors used a compiled remote desktop malware, which was used to drop the\r\ntools they needed to infiltrate the victim’s system: they used QakBot and Cobalt Strike for lateral movement, while NetScan\r\nwas used to look for any remote systems connected to the network. Once they infiltrated the system, the ransomware actors\r\nused tools such as PCHunter, PowerTool, GMER, and Process Hacker to disable any security-related services running in the\r\nsystem. They then exfiltrate the victim’s data via the RClone tool. We also observed an instance in which they used AdFind\r\nto look for active directories, then executed RDPEnable on the infected machine.\r\nPayload\r\nOnce everything has been set up, the ransomware actors used PsEXEC to execute the malware. The PsEXEC commands\r\ncontain the ID of the victim, along with any argument that the actors applied to the ransomware. There were also instances\r\nof the malware actors using PsEXEC to enable the remote desktop protocol (RDP) of a target system before executing the\r\nransomware.\r\nAnalysis\r\nIn part of our analysis, we used a ransomware sample with the detection name Ransom.Win64.YORAL.SMYXCJCT. As\r\nshown in Table 1, Figure 3, and Figure 4, Royal ransomware requires an argument of “-id {32-byte characters}” to execute\r\non a victim’s machine. It also accepts “-path” to specify a target file for encryption and “-ep {value}” to calculate the partial\r\nfile encryption of large files.\r\nIn some earlier samples of the ransomware, the binary wouldn’t parse all the arguments due to a bug in the code. For\r\nexample, “-path” won't be processed if provided after the \"-id\" argument; if provided before, there will be no \"-id\"\r\nargument, so it will not proceed.\r\nArgument Description\r\n-path {target\r\npath}\r\nIf provided, will only encrypt the contents of the target path\r\nhttps://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html\r\nPage 2 of 9\n\n-id {32-byte\r\ncharacters}\r\nWill be used as the victim’s ID, which will be appended on the TOR link found in the dropped\r\nransom note. The process exists if not provided or if provided characters is not 32 bytes long\r\n-ep This argument is for the full or partial encryption of file routine\r\nTable 1. Arguments accepted by the Royal ransomware binary\r\nFigure 3. Arguments accepted by the ransomware binary\r\nFigure 4. Checking if length of provided “-id” is 32 bytes\r\nIt enumerates files and directories for encryption using FindFirstFileW, FindNextFileW, and FindClose APIs (Figure 5).\r\nFigure 5. File enumeration\r\nThe ransomware looks for available network shares for network encryption by listing accessible local IPs, then uses\r\nNetShareEnum and attempts to connect on ADMIN$ and IPC$ shares (Figure 6).\r\nhttps://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html\r\nPage 3 of 9\n\nFigure 6. Looking for accessible local IPs then trying to connect to ADMIN$ and IPC$\r\nIt checks for the number of processors in the infected system and uses it as a base for the concurrent running threads for file\r\nencryption, as shown in Figure 7. By doing so, Royal ransomware significantly increases the speed of its file encryption\r\nprocess. \r\nFigure 7. Checking the number of processors\r\nRoyal ransomware inhibits system recovery by deleting shadow copies (Figure 8) through the following command:\r\nC:\\\\Windows\\\\System32\\\\vssadmin.exe delete shadows /all /quiet\r\nhttps://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html\r\nPage 4 of 9\n\nFigure 8. Using vssadmin.exe to delete shadow copies\r\nThe ransomware encrypts files using OpenSSL’s Advanced Encryption Standard (AES). It will encrypt the AES key and IV\r\nwith RSA encryption using the embedded RSA public key (Figure 9). The RSA-encrypted AES key and IV will be appended\r\non each encrypted file (Figure 10).\r\nFigure 9. An RSA public key\r\nFigure 10. Generation of AES Key and IV\r\nThe malicious actors behind Royal ransomware use a form of intermittent encryption tacticopen on a new tab to speed their\r\nencryption process: the ransomware first checks if the file size is divisible by 16, which is a requirement for AES (Figure\r\n11). If not, it rounds up the total size until it is divisible by 16. For example, if the size is 18, it will append zero bytes to the\r\nfile until it has a size of 32, which is now divisible by 16. Aside from appending the needed zero bytes, it also appends an\r\nextra 0x210 Zero bytes as a placeholder for the appended RSA encrypted key.\r\nhttps://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html\r\nPage 5 of 9\n\nFigure 11. Royal ransomware checking if file size is divisible by 16\r\nFor a file size that has been rounded-up, Royal ransomware will check if the size is less than or equal to 5,245,000 bytes or\r\nif the value is set to 100 (0x64), as shown in Figure 12. If the file size is within these limits, it will encrypt the entire file. For\r\nfiles greater than 5,245,000 bytes, file encryption will take place per certain calculated blocks: for example, it will encrypt\r\nfirst N bytes, then skip the next N bytes, then encrypt the next N bytes, and so on.\r\nFigure 12. Encryption process and calculation\r\nIts calculation of N bytes is as follows:\r\nX / 10* (Original file size) \u0026 0xFFFFFFF0\r\nwhere X is the value set before encryption\r\nX is either 0x32 (50) or 0x64 (100)\r\nThis value will also be used as indicator if full encryption or partial encryption will be performed on the file\r\nFor example, with a file with a file size equal to 5,245,000:\r\nN = 50/10 * (5245000 / 100) \u0026 0xFFFFFFF0 = 0x40060 (262240)\r\nIf the calculated N is greater than 1,024,000, it will simply encrypt per 1,024,000 block instead (Figure 13).\r\nFigure 13. Condition if N is greater than 1,024,000\r\nThe encrypted file’s structure would then be as follows (Table 2):\r\nDescription Size\r\nhttps://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html\r\nPage 6 of 9\n\nEncrypted File Contents\r\nRounded-up file size divisible by\r\n16\r\nRSA Encrypted Key 0x200 bytes\r\nSize of encrypted file / offset address of RSA Encrypted Key 8 bytes\r\nX value, 0x64 or provided value (usually 0x32), indicator if full or partial\r\nencryption\r\n8 bytes\r\nTable 2. An encrypted file’s structure\r\nThe ransomware then renames the encrypted files by appending them with the “.royal” extension, as demonstrated in\r\nFigures 14 and 15.\r\nFigure 14. Royal ransomware appending “.royal” to encrypted files\r\nFigure 15. Encrypted files appended with the “.royal” extension\r\nFor each directory it traverses, Royal ransomware drops a text file named “README.TXT” that contains the ransom note\r\n(Figure 16), as well as an advertisement for its “pentesting services” that the ransomware actors will allegedly provide once\r\nthe ransom has been paid (Figure 17).\r\nFigure 16. Creation of the “README.TXT” file\r\nhttps://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html\r\nPage 7 of 9\n\nFigure 17. Contents of \"README.TXT\" with the sample ID we used appended on the TOR link.\r\nSecurity Recommendations\r\nOur investigation into Royal ransomware attacks shows how the group employs a mixture of both old and new techniques,\r\nwhich indicates that it is no newcomer to the ransomware scene. Their use of callback phishing to lure victims into installing\r\nremote desktop malware allows them to infiltrate the victim’s machine with relative ease. Their intermittent encryption\r\ntactics also hasten their encryption of a victim’s files, with the added benefit of evading detection measures that focus on\r\nlooking for heavy file IO operations. Despite their “late” entry to the scene in September, the group already has ransomed\r\nmultiple companies, and we expect them to be more active in the upcoming months. More details on Royal ransomware’s\r\nother capabilities can be found in Trend Micro’s Threat Encyclopediaopen on a new tab.\r\nWe highly advise users and organizations to update their systems with the latest patches and apply multi-layered defense\r\nmechanisms. The emergence and success of the Royal ransomware gang underscore how ransomware actors are finding\r\nmore innovative ways to repurposing existing tools and tactics as a means of augmenting their attacks. End users and\r\nenterprises alike can mitigate the risk of infection from new threats like Royal ransomware by following these security best\r\npractices: \r\nEnable multifactor authentication (MFA) to prevent attackers from performing lateral movement inside a network.\r\nAdhere to the 3-2-1 ruleopen on a new tab when backing up important files. This involves creating three backup\r\ncopies on two different file formats, with one of the copies stored in a separate location. \r\nPatch and update systemsopen on a new tab regularly. It’s important to keep operating systems and applications up to\r\ndate and maintain patch management protocols that can deter malicious actors from exploiting any software\r\nvulnerabilities.\r\nCompanies can also benefit from the use of multilayered detection and response solutions such as Trend Micro Vision\r\nOne™open on a new tab, which provides powerful XDR capabilities that collect and automatically correlate data across\r\nmultiple security layers — email, endpoints, servers, cloud workloads, and networks — to prevent attacks via automated\r\nprotection, while also ensuring that no significant incidents go unnoticed. Trend Micro Apex One™open on a new tab also\r\nprovides next-level automated threat detection and response to protect endpoints against advanced issues, like human-operated ransomware. \r\nIndicators of Compromise (IOCs)\r\nSHA-256 Detection Descript\r\nc0063d24f3de4e7b89abf9b690a3d264efc6ab7a626f73ad9f42d6bffe52bce7 Trojan.Win64.COBALT.BE CobaltSt\r\nfef79160f0ce9aa9dec15c914f2c2b40b2ae1ec2b0e65e414545dbc994afd73d Trojan.Win64.COBALT.BE CobaltSt\r\n3434271f2038afaddad4caad8000e390b3573b2b53e02841653a4ee0dfd73674 Trojan.Win64.COBALT.BE CobaltSt\r\nhttps://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html\r\nPage 8 of 9\n\n0ac0b3758359855e96367b6c83b0aabdc6cfb59b4caa1cec48632defd21cdf3c Trojan.Win64.COBALT.BE CobaltSt\r\n451cef0085dc5b474cc5c68af079d0367d7d2ec73ae2210788beb5297e1fbd6d Trojan.Win64.COBALT.BE CobaltSt\r\ne710e902507ad63e1d2ce1220212b1a751b70504259457234103bb22845a9424 Trojan.Win32.QAKBOT.DRSV QakBot\r\n2718dcbb503b6334078daf4af61e17a547fb80c9b811c26cfc9d32f5ce63a826 Trojan.Win32.QAKBOT.DRTE QakBot\r\nabf937fb2f162d1dbbe76c7386c9892db5191e17de586f0a5c49819cd68b5e0f Trojan.Win32.DEYMA.AM\r\nCompile\r\nRemote\r\nDesktop\r\nMalware\r\nbd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4 PUA.Win64.ProcHack.AC\r\nProcess\r\nHacker\r\n572d88c419c6ae75aeb784ceab327d040cb589903d6285bbffa77338111af14b HackTool.Win32.NetScan.AG NetScan\r\n094d1476331d6f693f1d546b53f1c1a42863e6cde014e2ed655f3cbe63e5ecde HackTool.Win32.ToolPow.SM PowerTo\r\ne8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173 PUA.Win32.GMER.YABBI GMER\r\nd1aa0ceb01cca76a88f9ee0c5817d24e7a15ad40768430373ae3009a619e2691 PUA.Win64.PCHunter.B PCHunte\r\nbb48f5c915ab7bbbbbf092a20169aaf3ced46b492ed69550854a55254ce10572 Backdoor.Win32.SWRORT.YXCJ5Z\r\nMalware\r\nCompon\r\ne263b9d5467bf724000966da2acfe06520a464c566e4b3d9833213f850f3f1f2 HackTool.Win32.Adfind.THLOFBB AdFind\r\nac49c114ef137cc198786ad8daefa9cfcc01f0c0a827b0e2b927a7edd0fca8b0 HackTool.BAT.RDPEnable.A RDPEna\r\n2598e8adb87976abe48f0eba4bbb9a7cb69439e0c133b21aee3845dfccf3fb8f Ransom.Win64.YORAL.SMYXCJCT\r\nRoyal\r\nRansomw\r\nBinary\r\ncdd7814074872fc35d18740cdd4e8a5fefcfd6b457fde2920383fd5b11903fc5 Ransom_Royal.R06CC0DK222\r\nRoyal\r\nRansomw\r\nBinary\r\na61b71ee73ea8c0f332591e361adeda04705c65b5f4d549066677ec4e71212f7 Ransom.Win32.YORAL.YXCKB\r\nRoyal\r\nRansomw\r\nBinary\r\n56e8bd8b0c5bfb87956f7915bc47a9ecf5d338b804cee1dccacf53400d602be3 Ransom.Win32.YORAL.YECJYT\r\nRoyal\r\nRansomw\r\nBinary\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html\r\nhttps://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html"
	],
	"report_names": [
		"conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434815,
	"ts_updated_at": 1775791328,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e4aca22e4da0998918024e345acce6c5e904279a.pdf",
		"text": "https://archive.orkl.eu/e4aca22e4da0998918024e345acce6c5e904279a.txt",
		"img": "https://archive.orkl.eu/e4aca22e4da0998918024e345acce6c5e904279a.jpg"
	}
}