The Royal Ransomware encrypts files across all volumes, including network shares, using .Royal, .Royal_w, or .royal_u extensions and a tor-based README.TXT for attacker contact. It combines AES with a RSA public key embedded in the executable, deletes shadow copies, and uses targeted process and drive enumeration to maximize impact. #RoyalRansomware #Conti
Keypoints
- Royal Ransomware first appeared mid-2022 and encrypts all volumes, including network shared drives, with unique file extensions like .Royal and .Royal_w.
- Ransom notes appear as README.TXT containing a tor link for attacker communication, indicating use of Tor for ransom-related exchanges.
- Encryption uses AES with RSA for key/IV protection; the RSA public key is embedded in the executable, and encryption behavior depends on the -ep parameter.
- Shadow copies are deleted to hinder system restoration (vssadmin.exe Delete Shadows /All /Quiet).
- The malware creates exclusion lists for certain extensions and directories to avoid encrypting specific files, and enumerates drives before encrypting.
- It uses system and process discovery/management techniques (GetNativeSystemInfo, Restart Manager, RmGetList, RmShutDown) to optimize encryption and terminate competing processes as needed.
MITRE Techniques
- [T1059] Command and Scripting Interpreter β βOn initial execution, the Royal ransomware takes the command line arguments; Path, id, and ep, where the id is a 32-bit array, and ep is the encryption percentage.β
- [T1490] Inhibit System Recovery β βVolume shadow copies are deleted to prevent system restoration.β
- [T1083] File and Directory Discovery β βIt enumerates the Drives with the API call GetLogicalDrives and adds the README.TXT in each drive.β
- [T1082] System Information Discovery β βThe ransomware uses the GetNativeSystemInfo API to retrieve the number of processors in a machine, then it multiplies the result by two and creates a number of threads.β
- [T1486] Data Encrypted for Impact β βRSA public key for encrypting AES key and IV. And the RSA Public key is embedded in the executable.β
- [T1489] Service Stop β βProcess kill through RmShutDown APIβ
Indicators of Compromise
- [File hash] Royal Ransomware IOCs β 250BCBFA58DA3E713B4CA12EDEF4DC06358E8986CAD15928AA30C44FE4596488, 15D4A2FC500DFA55A64221A0A38D9C47510D8D348D3289C89D26E6184DDD51FF, 491C2B32095174B9DE2FD799732A6F84878C2E23B9BB560CD3155CBDC65E2B80, 312F34EE8C7B2199A3E78B4A52BD87700CC8F3AA01AA641E5D899501CB720775, 87EED751035A0BCCE040079E48545A7265E1A0C7D4BCAF0B37A8A70D833FEAFC, 42EEC2B721E59640D7B88202B80D2D9A5C84BF34534396098A497A60EF5EBB97, 8E01ECF9D804454F34EECEB0F7793F4884BE8868886A646526419FC2E2BBB648, BED8C25DD445B9B9A782291C00F9839890A09459A2A568153491B2F47BBD1463
Read more: https://blogs.quickheal.com/deep-dive-into-royal-ransomware/