Phishing simulation Awareness training Data breach detection Pricing About Blog Resources Contact
Get started Log in

Royal Ransomware - the new hacking

There are new and more cunning ways for hackers to infiltrate systems and software. One of those methods is royal ransomware, which we'll discuss below.

22-03-2023 - 9 minute read. Posted in: hacking.

Royal Ransomware - the new hacking

Royal Ransomware: The ruthless cyber threat costing companies millions

The cyber threat landscape is constantly evolving, with threat actors developing more sophisticated techniques to infiltrate systems and extort victims. During ransomware operations, these threat actors leverage legitimate software and open-source tools to maintain access and conduct malicious activities. One of the latest and most destructive ransomware strains is Royal Ransomware – a highly profitable and aggressive form of cyber extortion that has targeted businesses worldwide.

Understanding ransomware and its costly ransom demands

Ransomware is a type of malware that encrypts a victim’s files, making them inaccessible until a ransom is paid. Encrypting files is a critical tactic used by ransomware groups like BlackSuit and Royal to facilitate their extortion efforts. Hackers use this method to monetize stolen data, often demanding large sums of money in exchange for a decryption key. Companies, especially those handling sensitive information, are frequent targets, as they are more likely to pay hefty ransoms to recover critical data.

A notable example occurred in Denmark in 2022 when 7-Eleven was hit by a ransomware attack, forcing the shutdown of all 175 stores. The attackers demanded a ransom of $1 million in cryptocurrency to restore access to the company’s systems. However, 7-Eleven refused to comply and instead reinstalled its programs and systems, demonstrating the importance of robust backup solutions.

For a deeper dive into how ransomware attacks unfold and how to protect yourself, read our comprehensive guide on ransomware threats.

What is Royal ransomware?

Royal ransomware is a sophisticated form of malware that encrypts files within a victim’s IT environment, rendering them inaccessible until a ransom is paid. The cybercriminals behind Royal ransomware attacks employ advanced techniques to infiltrate and exfiltrate data, making it a formidable threat to organizations worldwide. These ransomware attacks are meticulously planned and executed, often leaving businesses scrambling to regain control of their encrypted files. The ransom demands can be exorbitant, with hackers leveraging the critical nature of the data to pressure victims into paying.

Because malware plays a crucial role in these attacks – enabling hackers to gain access and deploy ransomware – it’s essential to understand how different types of malware operate. Explore our in-depth guide to malware threats and how to stay protected.

History and distribution

Royal ransomware first emerged in January 2022, quickly escalating its activities throughout the year. Believed to be operated by a Russian-speaking group, Royal ransomware employs sophisticated methods for both infiltration and exfiltration. This ransomware group has targeted a wide array of critical infrastructure sectors, including chemical, communications, manufacturing, dams, defense industry, financial services, healthcare, waste management, nuclear energy, and emergency services. As of late 2023, there are indications that the Royal gang may be rebranding itself as BlackSuit ransomware, continuing their malicious activities under a new name.

The rise of the Royal ransomware group

A new and particularly destructive strain of ransomware, Royal ransomware, emerged in early 2022. It quickly gained notoriety for causing substantial financial damage to its victims.

The Dev-0569 hacker group, the royal operators behind Royal Ransomware, is responsible for targeting businesses worldwide. In just a short period, they added 43 companies to their list of victims, demanding ransoms ranging from $250,000 to $1 million. One of their most significant attacks involved a major tech company, where they demanded a staggering $60 million.

Royal threat actors employ a variety of tactics and legitimate tools for network reconnaissance, lateral movement, and data exfiltration during attacks. Unlike traditional ransomware groups that operate under the Ransomware-as-a-Service (RaaS) model – where malware is rented or sold to affiliates – Dev-0569 follows a different approach. Instead of distributing their ransomware to external users, they purchase direct access to corporate networks from Initial Access Brokers (IABs). This method allows them to control the attack from within the victim’s infrastructure, increasing the effectiveness and success rate of their campaigns.

The RaaS model has significantly contributed to the rise in ransomware attacks, enabling cybercriminals to execute large-scale operations without advanced technical skills. Discover how Ransomware-as-a-Service is reshaping the cybercrime landscape.

Exploiting internal systems: How Royal ransomware spreads

Once inside a company’s network, Royal Ransomware operates by exploiting internal vulnerabilities to deploy their malware. Some of their most common attack techniques include:

1. Contact form exploitation

Hackers manipulate company contact forms to distribute malware. By posing as legitimate customers, they inject malicious links or attachments into the communication chain, tricking employees into installing ransomware on internal systems.

2. Fake antivirus alerts and callback phishing

Another method involves sending deceptive alerts, warning users that their antivirus software is about to expire. Victims are urged to either visit a malicious website or call a fraudulent support number. This technique, known as callback phishing, allows hackers to extract sensitive information over the phone, often under the guise of technical support.

3. Advanced encryption techniques for rapid data lockdown

One of the reasons Royal Ransomware is so dangerous is its use of advanced encryption methods. Initially, Dev-0569 relied on the BlackCat coding module, but they have since transitioned to a more efficient system called Zeon. This module significantly accelerates the encryption process, locking files at an unprecedented speed. By doubling the code chains used for encryption, Royal Ransomware can incapacitate entire systems faster than most traditional ransomware strains.

Indicators of compromise (IOCs)

Recognizing the indicators of compromise (IOCs) for Royal ransomware is crucial for early detection and mitigation. Key IOCs include:

  • Hashes: Specific file hashes associated with Royal ransomware.

  • Infrastructure: Details about the infrastructure used by the ransomware operators.

  • Network Traffic Patterns: Royal ransomware operators often use legitimate cyber penetration testing tools, such as Cobalt Strike, to exfiltrate data from victim networks.

  • System Changes: The creation of a new admin user, forced group policy updates, and setting pertinent registry keys to auto-extract are common tactics used by Royal ransomware operators.

Connection to BlackSuit ransomware

BlackSuit ransomware is considered the evolution of the previously identified Royal ransomware. Sharing numerous coding similarities, BlackSuit has demonstrated enhanced capabilities and continues to pose a significant threat. Ransom demands from BlackSuit actors typically range from $1 million to $10 million USD, with total demands exceeding $500 million USD. The largest individual ransom demand recorded was a staggering $60 million. This evolution signifies a continuous and growing threat from these ransomware actors.

How to protect your business from Royal ransomware

While Royal Ransomware poses a significant threat, companies can take preventive measures to mitigate the risk of an attack:

It is also crucial to report ransomware incidents to authorities like the FBI and CISA. Promptly informing these agencies about ransomware attacks, including specific information and evidence, helps address the broader issue of ransomware proliferation.

1. Employee awareness training

Human error remains one of the primary entry points for cyberattacks. Regular training on phishing scams, suspicious emails, and safe browsing habits can significantly reduce the chances of a breach.

2. Strong passwords and multi-factor authentication (MFA)

Ensuring all accounts have strong, unique passwords and enabling MFA can prevent unauthorized access, making it more challenging for hackers to infiltrate networks.

3. Secure software and legitimate downloads

Always download software from verified sources to avoid malicious installations. Hackers frequently create counterfeit versions of legitimate applications to distribute ransomware.

4. Robust antivirus and threat detection

Using reputable antivirus software can help detect and block potential threats before they cause damage. Advanced cybersecurity solutions can also monitor for unusual activity, providing early warnings of a potential breach.

5. Data backups and disaster recovery plans

Regularly backing up critical files ensures that, in the event of an attack, systems can be restored without paying a ransom. Companies should store backups offline or on a separate, secure network to prevent ransomware from encrypting them.

Guidance from authorities

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued guidance to help organizations mitigate the risk and impact of ransomware incidents. Key recommendations include:

  • Implementing multi-factor authentication: Adding an extra layer of security to prevent unauthorized access.

  • Enabling network segmentation: Isolating critical systems to limit the spread of ransomware.

  • Implementing intrusion detection and prevention systems: Monitoring and blocking suspicious activities.

  • Regularly updating software and systems: Ensuring all systems are up-to-date with the latest security patches.

  • Conducting regular security awareness training: Educating employees on recognizing and responding to phishing and other cyber threats.

  • Reporting ransomware incidents: Promptly reporting incidents to the FBI’s Internet Crime Complaint Center (IC3) or a local FBI Field Office, or to CISA via their Incident Reporting System or 24/7 Operations Center.

By following these guidelines, organizations can better protect themselves against the devastating effects of ransomware attacks.

Recognizing a Royal ransomware attack

Victims of Royal Ransomware often notice specific changes in their encrypted files. Common indicators include:

  • Files ending in “.royal” or “.royal_w

A ransom note typically labeled “README.TXT”

If you suspect an attack, immediately disconnect affected devices from the network and contact your IT security team for further investigation.

The Royal ransomware group, which emerged in early 2022, is known for its sophisticated tactics and high-profile attacks against sectors like healthcare and critical infrastructure. Unlike other ransomware gangs, they operate with a team of experienced members from previous groups like Conti, rather than using an affiliate-driven model.

Conclusion: Staying ahead of Royal ransomware

Royal Ransomware represents a new level of cyber extortion, with threat actors exploiting internal vulnerabilities and deploying sophisticated encryption techniques during ransomware operations to maximize their impact. As ransomware threats continue to rise, businesses must prioritize cybersecurity by implementing proactive defense strategies, employee training, and robust data protection measures.

By staying vigilant and following best practices, companies can reduce the risk of falling victim to this devastating cyber threat.

This post has been updated on 11-03-2025 by Sarah Krarup.

Author Sarah Krarup

Sarah Krarup

Sarah studies innovation and entrepreneurship with a deep interest in IT and how cybersecurity impacts businesses and individuals. She has extensive experience in copywriting and is dedicated to making cybersecurity information accessible and engaging for everyone.

View all posts by Sarah Krarup

Similar posts

Everything you need to know about the dark web
cybercrime

Everything you need to know about the dark web

In this blog post you will learn all about the dark web and get a guide on how to safely access the dark web, if you should ever need to go there.

04-05-2022 · 12 min.
The dark side of ChatGPT
cybercrime

The dark side of ChatGPT

Many people are using ChatGPT since its release in late 2022, but many don't realize that it can be used for hacking. Read more here.

02-08-2023 · 6 min.
Cryptocurrency and its importance for hacking
hacking

Cryptocurrency and its importance for hacking

One problem has long plagued bank robbers and drug traffickers. How are huge sums of money transported and hidden without being detected?

27-04-2022 · 5 min.