Threat Research

Royal Rumble: Analysis of Royal Ransomware

Securonix

The Royal ransomware group emerged in early 2022 and has grown globally, deploying through multiple TTPs and affecting organizations worldwide. It uses a unique partial encryption approach with a flexible percentage, operates in a multi-threaded manner, and shows similarities to other operators like Conti, including high-profile victims such as the Silverstone Circuit. #RoyalRansomware #CobaltStrike #BATLOADER #Qbot #SilverstoneCircuit #Conti #BlackCat #Zeon

Keypoints

  • Royal ransomware introduces a unique partial encryption method, encrypting a predetermined portion of files based on a flexible percentage to evade anti-ransomware defenses.
  • Encryption is multi-threaded, speeding up the process by creating multiple writer/encryptor threads depending on system cores.
  • It operates globally and reportedly on its own, with no clear ransomware‑as‑a‑service model or sector/country focus.
  • Initial access often involves phishing campaigns delivering loaders such as BATLOADER and Qbot to download a Cobalt Strike payload.
  • Shadow copies are deleted using Vssadmin.exe to hinder recovery, and the ransomware monitors and adapts defenses accordingly.
  • Extensive exclusion lists are used to protect certain extensions and directories (e.g., .exe, .dll, Windows folders) from encryption, while targeting others for encryption with configurable parameters.

MITRE Techniques

  • [T1566.001] Phishing – “phishing campaigns and uses one of the common e-crime threat loaders, reportedly BATLOADER and Qbot.”
  • [T1105] Ingress Tool Transfer – “downloads a Cobalt Strike payload to continue the malicious operation within the infected environment.”
  • [T1490] Inhibit System Recovery – “will attempt to delete shadow copy backups using the process Vssadmin.exe, with the command line “delete shadows /all /quiet”.”
  • [T1016] System Network Configuration Discovery – “First, the ransomware will scan the network interfaces, and if possible, retrieve the different IP addresses for the target machine(s), using the API call GetIpAddrTable.”
  • [T1135] Network Share Discovery – “Enumerating the shared resources of the given IP addresses using the API NetShareEnum. If a shared resource is one of “ADMIN$” or “IPC$”, the ransomware will not encrypt it.”
  • [T1021.002] SMB/Windows Admin Shares – “the ransomware will set the port to SMB, and eventually try to connect to the instructed IP addresses via the LPFN_CONNECTEX callback function.”
  • [T1486] Data Encrypted for Impact – “the encryption algorithm uses the OpenSSL library and the AES256 algorithm. After finishing encryption, the file extension changes to “.royal” using the API call MoveFileExW.”

Indicators of Compromise

  • [IOC Type] SHA256 context – Royal Ransomware Binary – 250bcbfa58da3e713b4ca12edef4dc06358e8986cad15928aa30c44fe4596488, 9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926, c24c59c8f4e7a581a5d45ee181151ec0a3f0b59af987eacf9b363577087c9746 and other 6 hashes

Read more: https://www.cybereason.com/blog/royal-ransomware-analysis