Summary of Royal Ransomware

  • Royal emerged in January 2022.
  • Royal is a tightly controlled and vetted, affiliate-based, ransomware group.
  • Royal is a multi-pronged extortion threat. The attackers exfiltrate all enticing data prior to encrypting devices. Victims are then extorted into paying the ransom to prevent leakage and decrypt their data.
  • Current intelligence suggests prior links to Zeon ransomware.

What Does Royal Ransomware Target?

  • Large enterprises, high-value targets
  • Targeting will vary depending on subscriber (affiliate)

How Does Royal Ransomware Spread?

  • Phish and spear phishing emails
  • Callback phishing
  • Third party framework (e.g., Empire, Metasploit, Cobalt Strike)

Royal Ransomware Technical Details

Royal ransomware is a newly observed ransomware family with possible links to Zeon ransomware. Victims are targeted through email and phone-based phishing scams. The malware enumerates network shares for maximum targeting and deletes Volume Shadow copies prior to encryption to prevent victims using Windows system restore. Encrypted files are marked with the extension “.royal”.

Royal operators are using phishing and other standard techniques to infect devices. Encrypted files are noted with the “.royal” file extension.

Royal enumerates network share and attempts to delete Volume Shadow copies. Once infected, victims are directed to engage with the attacker via a TOR-based payment portal.

How to Detect Royal Ransomware

  • The SentinelOne Singularity XDR Platform detects and prevents malicious behaviors and artifacts associated with Royal ransomware.

How to Mitigate Royal Ransomware

The SentinelOne Singularity XDR Platform detects and prevents malicious behaviors and artifacts associated with Royal

In case you do not have SentinelOne deployed, to mitigate the risk of a Royal Ransomware attack, it is important to take a multi-layered approach, which includes the following steps:

  1. Implement a strong cybersecurity posture, which includes the use of firewalls, antivirus software, and other security controls, to prevent the spread of malware and ransomware.
  2. Conduct regular security audits and assessments, to identify and address vulnerabilities in the network and the system.
  3. Educate and train employees on cybersecurity best practices, including how to identify and avoid phishing emails, and other threats.
  4. Implement a robust backup and recovery plan, to ensure that the organization has a copy of its data, and can restore it in case of an attack.
  5. Have a plan in place to respond to a ransomware attack, including how to contain the threat, and how to restore the system and the data.

How to Remove Royal Ransomware

  • SentinelOne customers are protected from Royal ransomware without any need to update or take action. In cases where the policy was set to Detect Only and a device became infected, remove the infection by using SentinelOne’s unique rollback capability. As the accompanying video shows,  the rollback will revert any malicious impact on the device and restore encrypted files to their original state.