Threat Database Ransomware Royal Ransomware

Royal Ransomware

The Royal Ransomware belongs to a relatively new cybercrime group. Initially, the hackers used the encryptor tools of other similar attack groups but have since then moved on to using their own. The group targets corporate entities and demands the payment of ransom ranging from $250, 000 all the way up to $2 million. A notable characteristic of the Royal Ransomware group is that it doesn't operate as a RaaS (Ransomware-as-a-Service) and is, instead, an entirely private group without any affiliates.

The infection chain that ultimately ends with the deployment of the Royal Ransomware threat, begins with targeted phishing attacks. The threat actors utilize what is known as callback phishing to compromise their targets. They begin by sending lure emails about bogus subscription renewals for a legitimate food delivery service or software product. Victims are told that to cancel the supposed subscription, they will have to call a provided phone number. The phone operators work for the cybercriminals and will use various social-engineering tactics to convince the victim to provide them with remote access to the computer. The installed software serves as the initial access point to the internal corporate network.

When the Royal Ransomware threat is deployed and executed on the victims' devices, it will encrypt a significant portion of the data stored there. All locked files will have '.royal' appended to their original names. The threat is capable of encrypting the virtual disk files (VMDK) associated with virtual machines. When the targeted data has been processed, the ransomware threat will proceed to deliver its ransom note. The hackers' message will be dropped as a 'README.TXT' file on the breached systems, alongside being printed out by any printers connected to the corporate network. 

The ransom note states that victims must establish contact with the cybercriminals by visiting their dedicated website hosted on the TOR network. The site mostly consists of a chat service to talk with the hackers. Victims can usually send a couple of files to be decrypted for free as a demonstration. Although the Royal Ransomware group claims to collect confidential data from their victims in a double-extortion scheme, so far no data leak site has been discovered. 

Related Posts


Most Viewed