Royal Ransomware Actors

Also known as: Royal Ransomware Actors

Royal is a ransomware group believed to be responsible for hundreds of attacks on victims worldwide, including those in critical infrastructure sectors including manufacturing, communications, healthcare, and education. The actors that comprise the Royal ransomware operation are believed to be former members of other cybercriminal groups linked to Roy/Zeon ransomware, Conti ransomware, and TrickBot. Unlike many of the other most prominent ransomware groups in recent years, the developers of Royal ransomware are not known to lease the malware to affiliates as a service.[Kroll Royal Deep Dive February 2023]

The Royal group often pressures victims into paying ransom demands by threatening to leak data exfiltrated during intrusions. While public data from the ransomwatch project suggest the group has claimed roughly 200 victims since Q4 2022, a November 2023 U.S. government advisory indicated that Royal “has targeted over 350 known victims worldwide” since September 2022, with extortion demands at times exceeding $250 million.[GitHub ransomwatch][CISA Royal AA23-061A March 2023]

Introduction

Royal is a ransomware group believed to be responsible for hundreds of attacks on victims worldwide, including those in critical infrastructure sectors including manufacturing, communications, healthcare, and education. The actors that comprise the Royal ransomware operation are believed to be former members of other cybercriminal groups linked to Roy/Zeon ransomware, Conti ransomware, and TrickBot. Unlike many of the other most prominent ransomware groups in recent years, the developers of Royal ransomware are not known to lease the malware to affiliates as a service.[Kroll Royal Deep Dive February 2023] The Royal group often pressures victims into paying ransom demands by threatening to leak data exfiltrated during intrusions. While public data from the ransomwatch project suggest the group has claimed roughly 200 victims since Q4 2022, a November 2023 U.S. government advisory indicated that Royal “has targeted over 350 known victims worldwide” since September 2022, with extortion demands at times exceeding $250 million.[GitHub ransomwatch][CISA Royal AA23-061A March 2023]

Activities and Tactics

Information pending cataloguing.

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • CyberGate:
  • Cyber Eye RAT:

Attribution and Evidence

Information pending cataloguing.

References

[1] [Kroll Royal Deep Dive February 2023 [2] ransomwatch project [3] [GitHub ransomwatch [4] [CISA Royal AA23-061A March 2023