Threat Research

Threat Assessment: Royal Ransomware

Securonix

Royal ransomware is a private group formed by former Conti members that has targeted critical infrastructure, notably healthcare, since September 2022. It uses BATLOADER to drop a Cobalt Strike beacon and has expanded to a Linux/ESXi variant, with public extortion via a leak site and social media presence. #RoyalRansomware #Conti #BATLOADER #CobaltStrike #LinuxVariant #ESXi #LockerRoyal

Keypoints

  • Royal operates as a private group rather than a ransomware-as-a-service (RaaS), composed of former Conti members (Team One).
  • Victims span manufacturing, healthcare, and education sectors, with at least 157 organizations claimed on their leak site since 2022.
  • Initial access includes SEO poisoning and malvertising, followed by a BATLOADER dropper that loads Cobalt Strike beacons.
  • A Linux/ESXi variant uses similar encryption logic (AES-256, RSA-4096) with plaintext strings and no obfuscation.
  • Active extortion via a leak site and social media (e.g., Twitter account “LockerRoyal”).
  • Infection chain often includes PowerShell scripts, MSI usage, AdFind for AD discovery, and BATLOADER delivering additional payloads like VidarStealer/Ursnif/Redline.

MITRE Techniques

  • [T1189] Drive-by Compromise – Drive-by access via SEO poisoning and malvertising used as initial access vectors. Quote: “…SEO poisoning and malvertising were used as initial access vectors…”
  • [T1105] Ingress Tool Transfer – BATLOADER downloads additional payloads (VidarStealer, Ursnif/ISFB, Redline), and loads Cobalt Strike as a precursor to ransomware distribution. Quote: “BATLOADER will then attempt to download further payloads to the infected machine, such as VidarStealer, Ursnif/ISFB and Redline Stealer… BATLOADER has been seen loading Cobalt Strike…”
  • [T1562.001] Impair Defenses – Defense evasion by disabling security tooling and cleaning traces. Quote: “PowerTool… batch scripts to disable security-related services, and deleted shadow file copies and logs after successful exfiltration.”
  • [T1021.002] SMB/Windows Admin Shares – Lateral movement using PsExec within infected environments. Quote: ” PsExec for conducting lateral movement within the infected environments.”
  • [T1046] Network Service Scanning – Discovery of networked resources using NetScan. Quote: “network discovery software NetScan to identify and map out various connected computer resources…”
  • [T1572] Protocol Tunneling – Chisel TCP/UDP tunneling tool used to maintain C2. Quote: “Chisel, a TCP/UDP tunneling tool written in Golang.”
  • [T1041] Exfiltration Over C2 Channel – Data exfiltration via legitimate tools like Rclone before encryption. Quote: “Rclone, a legitimate tool to manage files between two systems, for exfiltrating stolen data before the deployment of ransomware.”
  • [T1059.003] Windows Command Shell – Use of cmd.exe to run vssadmin for shadow copy deletion during encryption. Quote: “the ransomware then will create a cmd.exe process with the parameter to execute vssadmin delete shadows /all /quiet.”
  • [T1490] Inhibit System Recovery – Deleting shadow copies to hinder restoration. Quote: “…delete shadows /all /quiet” (vssadmin).
  • [T1033] Account Discovery – Use of Active Directory query tool AdFind to enumerate AD information. Quote: “the Active Directory query tool AdFind…”

Indicators of Compromise

  • [Hash] context – 595c869f8ec7eaf71fef44bad331d81bb934c886cdff99e1f013eec7acdaf8c9, 12a6d61b309171b41347d6795002247c8e2137522a756d35bb8ece5a82fc3774 and 3 more hashes
  • [Domain] context – royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onion
  • [Domain] context – altocloudzone.live, and 7 more domains
  • [Filename] context – svchost.exe, README.TXT

Read more: https://unit42.paloaltonetworks.com/royal-ransomware/