Operator dossier

Royal is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 211 public victims claimed by this operator between November 4, 2022 and July 19, 2023. Royal is a financially motivated ransomware group that emerged in November 2022, quickly establishing itself as a significant threat with over 200 documented victims across multiple sectors. The group is believed to operate independently rather than as a ransomware-as-a-service model, though their exact country of origin remains unclear based on publicly available intelligence. Royal primarily gains initial access through phishing campaigns and exploitation of remote desktop protocols, subsequently deploying custom ransomware that encrypts victim files while exfiltrating sensitive data for double extortion tactics. The group has demonstrated a preference for targeting critical infrastructure and public services, with notable attacks against educational institutions, healthcare facilities, and government entities primarily in the United States, though they have also significantly impacted organizations across Germany, the United Kingdom, Canada, and France. Their encryption methodology involves custom-built malware that systematically encrypts files while maintaining persistence on compromised networks. As of recent reporting from federal agencies including CISA and FBI advisories, Royal remains an active threat with ongoing campaigns targeting organizations across their preferred sectors, particularly focusing on entities with limited cybersecurity resources that may be more likely to pay ransom demands.

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

← All groups

Royal

211 victims indexed · first seen 4 years ago · last activity 3 years ago

211

Victims indexed

#38 of 348 tracked operators

Active period

Nov 2022 → Jul 2023

Countries hit

top United States · 24

At a glance

Status: inactive
First seen: 4 years ago
Last activity: 3 years ago
Onion sites: 3 known endpoints
Primary sector: Education · 10 hits

About

Royal is a financially motivated ransomware group that emerged in November 2022, quickly establishing itself as a significant threat with over 200 documented victims across multiple sectors. The group is believed to operate independently rather than as a ransomware-as-a-service model, though their exact country of origin remains unclear based on publicly available intelligence. Royal primarily gains initial access through phishing campaigns and exploitation of remote desktop protocols, subsequently deploying custom ransomware that encrypts victim files while exfiltrating sensitive data for double extortion tactics. The group has demonstrated a preference for targeting critical infrastructure and public services, with notable attacks against educational institutions, healthcare facilities, and government entities primarily in the United States, though they have also significantly impacted organizations across Germany, the United Kingdom, Canada, and France. Their encryption methodology involves custom-built malware that systematically encrypts files while maintaining persistence on compromised networks. As of recent reporting from federal agencies including CISA and FBI advisories, Royal remains an active threat with ongoing campaigns targeting organizations across their preferred sectors, particularly focusing on entities with limited cybersecurity resources that may be more likely to pay ransom demands.

References

1 link

External sources curated by the MISP threat-intel community.

ransomlook.io/group/royal

Timeline

9 months

2022-11-01T00:00:00+00:002023-07-01T00:00:00+00:00

Top countries

🇺🇸 United States

🇩🇪 Germany

🇬🇧 United Kingdom

🇨🇦 Canada

🇫🇷 France

🇧🇷 Brazil

🇦🇺 Australia

🇲🇽 Mexico

United States dossier →Germany dossier →United Kingdom dossier →Canada dossier →

Top sectors

Education

Energy

Healthcare

Government

Finance

Food & Agriculture

Automotive

Legal

Education dossier →Energy dossier →Healthcare dossier →Government dossier →

MITRE ATT&CK

46 techniques · 12 tactics

Tactics

CollectionCommand And ControlCredential AccessDiscoveryExecutionExfiltrationInitial AccessLateral MovementPersistencePrivilege EscalationResource DevelopmentStealth

Techniques

T1003.001LSASS Memory
T1003.002Security Account Manager
T1003.003NTDS
T1003.004LSA Secrets
T1005Data from Local System
T1007System Service Discovery
T1016System Network Configuration Discovery
T1018Remote System Discovery
T1020Automated Exfiltration
T1021.002SMB/Windows Admin Shares
T1027Obfuscated Files or Information
T1033System Owner/User Discovery
T1036.002Right-to-Left Override
T1036.005Match Legitimate Resource Name or Location
T1041Exfiltration Over C2 Channel
T1049System Network Connections Discovery
T1056.001Keylogging
T1057Process Discovery
T1059Command and Scripting Interpreter
T1059.003Windows Command Shell
T1069.002Domain Groups
T1071.001Web Protocols
T1071.004DNS
T1078Valid Accounts
T1078.004Cloud Accounts
T1082System Information Discovery
T1083File and Directory Discovery
T1087.001Local Account
T1087.002Domain Account
T1105Ingress Tool Transfer
T1114.002Remote Email Collection
T1119Automated Collection
T1133External Remote Services
T1140Deobfuscate/Decode Files or Information
T1190Exploit Public-Facing Application
T1213.002Sharepoint
T1543.003Windows Service
T1547.001Registry Run Keys / Startup Folder
T1558.001Golden Ticket
T1560Archive Collected Data
T1560.001Archive via Utility
T1569.002Service Execution
T1583.005Botnet
T1587.001Malware
T1588.002Tool
T1614.001System Language Discovery

Detection · YARA rules

1 rule

Royal_Ransomware
Detects Royal ransomware
source: CISA AA23-061A

Recent victims

Loading…

Onion infrastructure

3 known

http://royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onion
http://royal4ezp7xrbakkus3oofjw6gszrohpodmdnfbe5e4w3og5sm7vb3qd.onion
http://royal4ezp7xrbakkus3oofjw6gszrohpodmdnfbe5e4w3og5sm7vb3qd.onion/api/posts/list

Source

Updated 3 years ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.