Skip to content
Ransomware group

Royal Ransomware

Royal Ransomware is a ransomware threat group/operator tracked in reporting under the names "royal_ransomware" and "royal_ransomware_group." The provided content describes it as an active ransomware actor observed using multiple initial access vectors, including phishing, RDP compromise, credential abuse, vulnerability exploitation, malicious downloaders, and malvertising via Google ads.

Profile source: Mallory opens in a new tab

Royal Ransomware

Family profile

Royal Ransomware is a ransomware threat group/operator tracked in reporting under the names "royal_ransomware" and "royal_ransomware_group." The provided content describes it as an active ransomware actor observed using multiple initial access vectors, including phishing, RDP compromise, credential abuse, vulnerability exploitation, malicious downloaders, and malvertising via Google ads. Reporting in the content places the group as active in 2022, including alleged victim postings involving Mark-Taylor, an Arizona builder, and a full-service commodities broker. The content also states that BlackSuit was formed from members of the older Royal ransomware group, indicating Royal predates BlackSuit and that personnel overlap or evolution occurred between the two groups. No high-confidence information about the group's size or physical location is provided in the content.

Ransomware.live

Operational record

View group record ↗

Credential Theft

  • Mimikatz
  • NirSoft Dialupass
  • NirSoft IEPassView (iepv)
  • NirSoft MailPassView
  • NirSoft Netpass
  • NirSoft RouterPassView

Defense Evasion

  • Eraser
  • GMER
  • NSudo
  • PowerTool

Discovery Enum

  • AdFind
  • Advanced IP Scanner
  • SharpShares
  • SoftPerfect NetScan

Exfiltration

  • RClone

LOLBAS

  • PsExec

Networking

  • Chisel
  • Cloudflared
  • OpenSSH

Offsec

  • Brute Ratel C4
  • Cobalt Strike

RMM Tools

  • AnyDesk
  • Atera
  • LogMeIn
  • MobaXterm
  • Syncro

MITRE ATT&CK

Royal Ransomware in ATT&CK

19 distinct techniques

Reporting

Research mentioning Royal Ransomware

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.