1. Home
  2. Software
  3. Royal

Royal

Royal is ransomware that first appeared in early 2022; a version that also targets ESXi servers was later observed in February 2023. Royal employs partial encryption and multiple threads to evade detection and speed encryption. Royal has been used in attacks against multiple industries worldwide--including critical infrastructure. Security researchers have identified similarities in the encryption routines and TTPs used in Royal and Conti attacks and noted a possible connection between their operators.[1][2][3][4][5]

ID: S1073
Type: MALWARE
Platforms: Windows
Contributors: Wataru Takahashi, NEC Corporation; Pooja Natarajan, NEC Corporation India; Manikantan Srinivasan, NEC Corporation India
Version: 1.0
Created: 30 March 2023
Last Modified: 17 April 2023
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1486 数据加密以实现影响

Royal uses a multi-threaded encryption process that can partially encrypt targeted files with the OpenSSL library and the AES256 algorithm.[2][3][4]
Enterprise T1083 文件和目录发现

Royal can identify specific files and directories to exclude from the encryption process.[2][3][4]
Enterprise T1489 服务停止

Royal can use RmShutDown to kill applications and services using the resources that are targeted for encryption.[2]
Enterprise T1106 本机API

Royal can use multiple APIs for discovery, communication, and execution.[2]
Enterprise T1082 系统信息发现

Royal can use GetNativeSystemInfo and GetLogicalDrives to enumerate system processors and logical drives.[2][4]
Enterprise T1490 系统恢复抑制

Royal can delete shadow copy backups with vssadmin.exe using the command delete shadows /all /quiet.[2][3][5]
Enterprise T1016 系统网络配置发现

Royal can enumerate IP addresses using GetIpAddrTable.[2]
Enterprise T1135 网络共享发现

Royal can enumerate the shared resources of a given IP addresses using the API call NetShareEnum.[2]
Enterprise T1046 网络服务发现

Royal can scan the network interfaces of targeted systems.[2]
Enterprise T1057 进程发现

Royal can use GetCurrentProcess to enumerate processes.[2]
Enterprise T1021 .002 远程服务: SMB/Windows Admin Shares

Royal can use SMB to connect to move laterally.[2]
Enterprise T1566 钓鱼

Royal has been spread through the use of phishing campaigns including "call back phishing" where victims are lured into calling a number provided through email.[2][3][5]
Enterprise T1095 非应用层协议

Royal establishes a TCP socket for C2 communication using the API WSASocketW.[2]

References

  1. MSTIC. (2022, November 17). DEV-0569 finds new ways to deliver Royal ransomware, various payloads. Retrieved March 30, 2023.
  2. Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023.
  3. Iacono, L. and Green, S. (2023, February 13). Royal Ransomware Deep Dive. Retrieved March 30, 2023.
  1. Morales, N. et al. (2023, February 20). Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers. Retrieved March 30, 2023.
  2. CISA. (2023, March 2). #StopRansomware: Royal Ransomware. Retrieved March 31, 2023.