Ransomware Spotlight: Royal


By Trend Micro Research

Backed by threat actors from Conti, Royal ransomware became one of the most prolific ransomware groups within three months since it was first reported by using new and old techniques.

View infographic of View infographic of "Ransomware Spotlight: Royal"

Royal ransomware made the rounds in researcher circles on social media in September 2022 after a cybersecurity news site published an article reporting how threat actors behind the ransomware group were targeting multiple corporations through the use of targeted callback phishing techniques.

The Royal ransomware group has been observed using a mix of old and new techniques. They use callback phishing to lure victims into installing remote desktop malware, which allows threat actors to infiltrate the victim’s machine with relative ease. This suggests that actors behind the group are hardened and skilled through experience.

On the other hand, their use of intermittent encryption to speed up encryption of the victim’s files while evading sensors that rely on heavy file IO operations detection imply extensive knowledge of the threat landscape.

What organizations need to know about Royal ransomware

The ransomware family, which was initially dubbed as “Zeon” before it was rebranded as “Royal,” was first observed in September last year, but one report suggests it may have been active since January 2022.

In its early campaigns, Royal deployed BlackCat’s encryptor, but later shifted to its own which dropped ransom notes similar to Conti’s. After rebranding from Zeon to Royal, they began using the latter in its ransom notes generated by its own encryptor.

Royal ransomware hit the ground running, making the list of most prolific ransomware groups in the fourth quarter of 2022, with only LockBit and BlackCat ahead of it. According to data from the ransomware groups’ leak sites, the highest numbers of successful attacks in the three-month span were campaigns carried out by the three, 10.7% of which are attributed to Royal. Its threat actors being an offshoot from Conti may be the reason for its quick claim to fame as soon as it made headlines in the ransomware landscape.

On Dec. 7, 2022, healthcare organizations were warned by the US Department of Health and Human Services (HHS) against Royal ransomware threats. A report mentioned that ransom demands from Royal range from US$250,000 to over US$2 million. Royal is reportedly a private group with no affiliates.

Just this month, the United States Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory containing tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect and defend against Royal ransomware attacks. According to a CISA alert, Royal ransomware attacks have “spread across numerous ’critical infrastructure sectors;’” these sectors include the chemical sectors, communications ang critical manufacturing sectors, dams, defense industrial bases, financial services and emergency services sectors, as well as healthcare and nuclear reactors, waste, and materials sectors, among others.

While the FBI and CISA discourages victims from paying ransom to prevent “emboldening adversaries to target additional organizations,” they urged for all victims within their jurisdiction to report ransomware incidents to local FBI offices or CISA regardless of whether a ransom was paid or not.

Apart from making headlines, Royal has also been observed to be quick in adapting to new tactics: ransomware actors have been expanding their targets by developing Linux-based variants, and Royal ransomware is among the groups who have evolved quickly to ride this train. Royal’s Linux counterpart also targets ESXi servers, a target expansion which can create a big impact on victimized enterprise data centers and virtualized storage.

Top affected countries and industries
according to Trend Micro data

In this section, we examine Royal ransomware’s attempts to compromise organizations since it was first reported in 2022 based on Trend Micro™ Smart Protection Network™ country and regional data. It’s important to note that this data covers only Trend Micro customers and does not contain all victims of Royal.

Threat actors behind Royal focused their attention on the United States, with 485 target attack attempts detected, making up 63.5% of the total detections. Brazil follows with 175 registered attack attempts, followed by Mexico and Malaysia with 31 and 18 detections respectively, while there were only 11 attack attempts detected in the United Kingdom.

Figure 1. The top 10 countries from a total of 764 detected attack attempts in terms of infected machines for Royal ransomware (September 2022 – January 2023) Source: Trend Micro™ Smart Protection Network™ ™

Among Trend Micro customers who disclosed what industry they are involved in, the transportation and manufacturing industries were targeted the most. The technology and education industries, as well as healthcare and government organizations were also targeted.

Figure 2. Trend Micro customer organizations belonging to the transportation and manufacturing industries experienced the most attack attempts from threat actors behind Royal. (September 2022 – January 2023) Source: Trend Micro™ Smart Protection Network™ ™

Since it was first reported in September 2022, our telemetry data has detected a total of 764 attack attempts by Royal across Trend Micro customers.

Figure 3. A monthly breakdown of detected Royal ransomware attempted attacks in terms of infected machines (September 2022 – January 2023) Source: Trend Micro™ Smart Protection Network™ ™

Targeted regions and industries
according to Royal ransomware’s leak site

This section looks at data based on attacks recorded on the leak site of Royal ransomware’s operators. The following data represents organizations successfully infiltrated by Royal ransomware, which have refused to pay the ransom demand as of writing.

Based on a combination of Trend Micro’s open-source intelligence (OSINT) research and investigation of the leak site, Royal ransomware compromised a total of 90 organizations. Of these, 64 were organizations operating from North America, while 15 were from Europe. Enterprises in Latin America and the Caribbean, Asia-Pacific, Africa, and Middle East were also compromised.

Figure 4. The distribution by region of Royal ransomware’s victim organizations
Source: Royal ransomware’s leak site and Trend Micro’s OSINT research (November 2022 – January 2023)

The United States had the most victim organizations with 54 compromised organizations, while 10 Canadian enterprises were also jeopardized. Germany, Australia, and Brazil round up the top five countries most targeted by threat actors behind Royal.

Figure 5. The top 10 countries most targeted by the Royal ransomware group
Source: Royal ransomware’s leak site and Trend Micro’s OSINT research (November 2022 – January 2023)

The majority of Royal ransomware victim organizations were small to medium-sized businesses, and only a small portion were large enterprises.

Figure 6. The distribution by organization size of Royal ransomware’s victim organizations
Source: Royal ransomware’s leak site and Trend Micro’s OSINT research (November 2022 – January 2023)

Among the identified sectors of Royal ransomware victim organizations, the IT, finance, materials, healthcare, and food and staples industries were its top targets.

Figure 7. The top 10 industries most targeted by Royal ransomware threat actors
Source: Royal ransomware’s leak site and Trend Micro’s OSINT research (November 2022 – January 2023)

Infection chain and techniques

Royal ransomware’s attack flow

Figure 8. Royal ransomware’s attack flow

Initial Access

  • External reports mention that one of the arrival methods of Royal Ransomware is via the Callback Phishing scam where victims are tricked into installing remote desktop software. This method is similar to the techniques used by the Conti group.

  • We have also recently observed Royal arriving from Batloader and IcedID malware.

Defense Evasion

  • Upon successful installation of a remote software, attackers usually use tools like PCHunter, Process Hacker, GMER, or PowerTool to manually uninstall AV products installed on the target system.


  • Attackers also use tools like NetScan and AdFind along with windows net.exe and nltest.exe to gain information of the victims Active Directory and connected remote systems.
  • We have also observed Royal ransomware actors using Advanced Port Scanner, a free network scanner, to find and open ports.

Lateral Movement and Command and Control

  • Royal ransomware has also been observed to use Cobalt Strike and Qakbot to pivot on target machines and deploy other tools and payloads.
  • Our observations from Royal ransomware activity also saw dual use agents, such as Connectwise, Splashtop, Atera, and Syncro, to connect to victim environments and execute malicious processes.


  • Rclone was found on the victim machines; the program is usually used to exfiltrate stolen information.


    • Royal Ransomware requires an “-id” argument to execute; this is any 32-character-long argument. It also accepts a “path” argument for target encryption, and the “-ep” argument which indicates the encryption percentage for large files to encrypt.
    • Encryption can be on local and network paths; the latest Royal ransomware variant has an option to choose either local, network or both.
    • Shadow copies are also deleted using the vssadmin tool.

Figure 9. A Royal ransomware ransom note

MITRE tactics and techniques

Initial AccessExecutionDefense EvasionDiscoveryExfiltrationLateral MovementCommand and ControlImpact

T1566 - Phishing
Royal ransomware threat actors perform callback phishing scams to trick users into installing remote desktop malware.

T1059 - Command and Scripting Interpreter
Royal ransomware binaries require an "-id" parameter to execute. This -id can be anything, as long as it is 32 characters long. It also accepts other arguments for its other routines.

T1562.001 - Impair Defenses: Disable or Modify Tools
Royal has been observed to have used ProcessHacker, GMER, PC Hunter, or PowerTool to disable or uninstall AV products.

T1112 - Modify Registry
Royal uses a batch file to modify registry to allow remote desktop connection.

T1069 - Permission Groups Discovery: Domain groups
Royal uses AdFind and windows command net and nltest to gain information regarding the domain.

T1018 - Remote System Discovery
Royal uses netscan to gather remote systems connected in the network.

T1567 - Exfiltration Over Web Service
Royal uses rclone to exfiltrate stolen information over web service.

T1570 - Lateral Tool Transfer
Royal uses Cobalt Strike and Qakbot to deliver other tools and payload.

T1095 - Non-Application Layer Protocol
Cobalt Strike and Qakbot communicate with its C2 over HTTPS to deliver the other tools and payload

T1490 - Inhibit System Recovery
Royal then deletes shadow copies to inhibit recovery.

T1486 - Data Encrypted for Impact
Royal encrypts its victim’s files.
Royal avoids encrypting files with the following strings in their file path:

- $recycle.bin
- $windows.~bt
- $windows.~ws
- boot
- google
- mozilla
- perflogs
- tor browser
- windows
- windows.old
- royal

Royal also avoids encrypting files with the following strings in their file name:
- README.txt

In addition, Royal avoids encrypting files with the following extensions:

- .exe
- .dll
- .bat
- .lnk
- .royal

Summary of malware, tools, and exploits used

Security teams should take note of and observe the presence of the following malware and tools typically used in Royal ransomware attacks:


  • PsExec
  • NetScan
  • AdFind
  • CobaltStrike
  • PCHunter
  • Process Hacker
  • GMER
  • PowerTool
  • RDPEnable
  • RClone
  • Connectwise
  • Splashtop
  • Atera
  • Syncro
  • Advanced Port Scanner


  • Batloader
  • IcedID


Backed by threat actors from Conti, Royal ransomware is poised to wreak havoc in the threat landscape after it became one of the most prolific ransomware groups within the three months since it was first reported. Combining new and old techniques and quick to evolve, Royal poses a high-stakes threat to enterprises. Organizations are recommended to stay vigilant against such threats.

To protect systems against Royal ransomware and other similar threats, organizations can implement security frameworks that allocate resources systematically to establish a strong defense strategy.

Here are some best practices that organizations can adopt to defend against Royal ransomware:

Audit and inventory

  • Take an inventory of assets and data
  • Identify authorized and unauthorized devices and software
  • Audit event and incident logs

Configure and monitor

  • Manage hardware and software configurations
  • Grant admin privileges and access only when necessary to an employee’s role
  • Monitor network ports, protocols, and services
  • Activate security configurations on network infrastructure devices such as firewalls and routers
  • Establish a software allowlist that only executes legitimate applications

Patch and update

  • Conduct regular vulnerability assessments
  • Perform patching or virtual patching for operating systems and applications
  • Update software and applications to their latest versions

Protect and recover

  • Implement data protection, backup, and recovery measures
  • Enable multifactor authentication (MFA)

Secure and defend

  • Employ sandbox analysis to block malicious emails
  • Deploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and network
  • Discover early signs of an attack, such as the presence of suspicious tools in the system
  • Use advanced detection technologies such as those powered by AI and machine learning

Train and test

  • Regularly train and assess employees’ security skills
  • Conduct red-team exercises and penetration tests

A multilayered approach can help organizations guard possible entry points into their system (endpoint, email, web, and network). Security solutions can detect malicious components and suspicious behavior, which can in turn help protect enterprises.

  • Trend Micro Vision One™ provides multilayered protection and behavior detection, which helps block questionable behavior and tools early on before ransomware can do irreversible damage to the system.
  • Trend Micro Cloud One™ – Workload Security protects systems against both known and unknown threats that exploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine learning.
  • Trend Micro™ Deep Discovery™ – Email Inspector employs custom sandboxing and advanced analysis techniques to effectively block malicious emails, including phishing emails that can serve as entry points for ransomware.
  • Trend Micro Apex One™ offers next-level automated threat detection and response against advanced concerns such as fileless threats and ransomware, ensuring the protection of endpoints.

Indicators of Compromise (IOCs)

The IOCs for this article can be found here. Actual indicators might vary per attack.

Trend Micro Vision One Hunting Query

Trend Vision One customers can use the following hunting query to check if their network/system is possibly affected by Royal ransomware:

(processCmd:"?:*\\psexec.exe" AND objectFilePath:"*.exe*-id *") OR fullPath:"*.royal_?"

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.