Royal Ransomware Goes for High-Profile Targets
A relatively new ransomware threat actor is making big moves and attracting attention. The new threat actor's presence was first spotted in early 2022 and Royal has been active since.
What sets Royal apart from most ransomware operations is that this threat actor does not lease out its tools and infrastructure to affiliates but instead works privately. Additionally, Royal goes after high-stake hits, with ransoms ranging from a quarter of a million to around two million dollars.
At first, the ransomware notes were signed using the name Zeon, after the threat actor's own encryption tool, but this changed to Royal in fall 2022. What is noteworthy is that before resorting to writing its own encryption tools, Royal used ransom notes that were structured similarly to Conti gang notes.
It is believed that Royal uses sophisticated phishing attacks to gain initial access, using live phone operators and impersonating various entities. Victims who get on the phone with Royal's operators are persuaded to install remote control applications. The hackers used those applications to gain an initial foothold in the target's network.
Once Royal is inside, it's business as usual, with securing persistence and moving laterally across the network before deploying the encryption tools. The ransomware appends the ".royal" extension to files and drops a ransom note inside a file called "README.TXT", which tells victims to contact the threat actor through an Onion page.