- Security News
- Ransomware Spotlight
- Ransomware Spotlight: Royal
In this section, we examine Royal ransomware’s attempts to compromise organizations since it was first reported in 2022 based on Trend Micro™ Smart Protection Network™ country and regional data. It’s important to note that this data covers only Trend Micro customers and does not contain all victims of Royal.
Threat actors behind Royal focused their attention on the United States, with 485 target attack attempts detected, making up 63.5% of the total detections. Brazil follows with 175 registered attack attempts, followed by Mexico and Malaysia with 31 and 18 detections respectively, while there were only 11 attack attempts detected in the United Kingdom.
Among Trend Micro customers who disclosed what industry they are involved in, the transportation and manufacturing industries were targeted the most. The technology and education industries, as well as healthcare and government organizations were also targeted.
Figure 2. Trend Micro customer organizations belonging to the transportation and manufacturing industries experienced the most attack attempts from threat actors behind Royal. (September 2022 – January 2023) Source: Trend Micro™ Smart Protection Network™ ™
Since it was first reported in September 2022, our telemetry data has detected a total of 764 attack attempts by Royal across Trend Micro customers.
Figure 3. A monthly breakdown of detected Royal ransomware attempted attacks in terms of infected machines (September 2022 – January 2023) Source: Trend Micro™ Smart Protection Network™ ™
This section looks at data based on attacks recorded on the leak site of Royal ransomware’s operators. The following data represents organizations successfully infiltrated by Royal ransomware, which have refused to pay the ransom demand as of writing.
Based on a combination of Trend Micro’s open-source intelligence (OSINT) research and investigation of the leak site, Royal ransomware compromised a total of 90 organizations. Of these, 64 were organizations operating from North America, while 15 were from Europe. Enterprises in Latin America and the Caribbean, Asia-Pacific, Africa, and Middle East were also compromised.
Figure 4. The distribution by region of Royal ransomware’s victim organizations
Source: Royal ransomware’s leak site and Trend Micro’s OSINT research (November 2022 – January 2023)
The United States had the most victim organizations with 54 compromised organizations, while 10 Canadian enterprises were also jeopardized. Germany, Australia, and Brazil round up the top five countries most targeted by threat actors behind Royal.
Figure 5. The top 10 countries most targeted by the Royal ransomware group
Source: Royal ransomware’s leak site and Trend Micro’s OSINT research (November 2022 – January 2023)
The majority of Royal ransomware victim organizations were small to medium-sized businesses, and only a small portion were large enterprises.
Figure 6. The distribution by organization size of Royal ransomware’s victim organizations
Source: Royal ransomware’s leak site and Trend Micro’s OSINT research (November 2022 – January 2023)
Among the identified sectors of Royal ransomware victim organizations, the IT, finance, materials, healthcare, and food and staples industries were its top targets.
Figure 7. The top 10 industries most targeted by Royal ransomware threat actors
Source: Royal ransomware’s leak site and Trend Micro’s OSINT research (November 2022 – January 2023)
External reports mention that one of the arrival methods of Royal Ransomware is via the Callback Phishing scam where victims are tricked into installing remote desktop software. This method is similar to the techniques used by the Conti group.
Initial Access | Execution | Defense Evasion | Discovery | Exfiltration | Lateral Movement | Command and Control | Impact |
---|---|---|---|---|---|---|---|
T1566 - Phishing | T1059 - Command and Scripting Interpreter | T1562.001 - Impair Defenses: Disable or Modify Tools T1112 - Modify Registry | T1069 - Permission Groups Discovery: Domain groups T1018 - Remote System Discovery | T1567 - Exfiltration Over Web Service | T1570 - Lateral Tool Transfer | T1095 - Non-Application Layer Protocol | T1490 - Inhibit System Recovery T1486 - Data Encrypted for Impact |
Security teams should take note of and observe the presence of the following malware and tools typically used in Royal ransomware attacks:
Backed by threat actors from Conti, Royal ransomware is poised to wreak havoc in the threat landscape after it became one of the most prolific ransomware groups within the three months since it was first reported. Combining new and old techniques and quick to evolve, Royal poses a high-stakes threat to enterprises. Organizations are recommended to stay vigilant against such threats.
To protect systems against Royal ransomware and other similar threats, organizations can implement security frameworks that allocate resources systematically to establish a strong defense strategy.
Here are some best practices that organizations can adopt to defend against Royal ransomware:
A multilayered approach can help organizations guard possible entry points into their system (endpoint, email, web, and network). Security solutions can detect malicious components and suspicious behavior, which can in turn help protect enterprises.
The IOCs for this article can be found here. Actual indicators might vary per attack.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.