Skip to main content

Operator dossier

Royal is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 211 public victims claimed by this operator between November 4, 2022 and July 19, 2023. Royal is a financially motivated ransomware group that emerged in November 2022, quickly establishing itself as a significant threat with over 200 documented victims across multiple sectors. The group is believed to operate independently rather than as a ransomware-as-a-service model, though their exact country of origin remains unclear based on publicly available intelligence. Royal primarily gains initial access through phishing campaigns and exploitation of remote desktop protocols, subsequently deploying custom ransomware that encrypts victim files while exfiltrating sensitive data for double extortion tactics. The group has demonstrated a preference for targeting critical infrastructure and public services, with notable attacks against educational institutions, healthcare facilities, and government entities primarily in the United States, though they have also significantly impacted organizations across Germany, the United Kingdom, Canada, and France. Their encryption methodology involves custom-built malware that systematically encrypts files while maintaining persistence on compromised networks. As of recent reporting from federal agencies including CISA and FBI advisories, Royal remains an active threat with ongoing campaigns targeting organizations across their preferred sectors, particularly focusing on entities with limited cybersecurity resources that may be more likely to pay ransom demands.

Most-targeted sectors

Most-affected countries

Recent disclosures by Royal

Most recent 150 of 211 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for Royal

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

All groups

Royal

211 victims indexed · first seen 4 years ago · last activity 3 years ago

211
Victims indexed
#37 of 364 tracked operators
8m
Active period
Nov 2022 → Jul 2023
10
Countries hit
top United States · 24

At a glance

Status
inactive
First seen
4 years ago
Last activity
3 years ago
Onion sites
3 known endpoints
Primary sector
Education · 10 hits

About

Royal is a financially motivated ransomware group that emerged in November 2022, quickly establishing itself as a significant threat with over 200 documented victims across multiple sectors. The group is believed to operate independently rather than as a ransomware-as-a-service model, though their exact country of origin remains unclear based on publicly available intelligence. Royal primarily gains initial access through phishing campaigns and exploitation of remote desktop protocols, subsequently deploying custom ransomware that encrypts victim files while exfiltrating sensitive data for double extortion tactics. The group has demonstrated a preference for targeting critical infrastructure and public services, with notable attacks against educational institutions, healthcare facilities, and government entities primarily in the United States, though they have also significantly impacted organizations across Germany, the United Kingdom, Canada, and France. Their encryption methodology involves custom-built malware that systematically encrypts files while maintaining persistence on compromised networks. As of recent reporting from federal agencies including CISA and FBI advisories, Royal remains an active threat with ongoing campaigns targeting organizations across their preferred sectors, particularly focusing on entities with limited cybersecurity resources that may be more likely to pay ransom demands.

References

1 link

External sources curated by the MISP threat-intel community.

Timeline

9 months
2022-11-01T00:00:00+00:00 · 432022-12-01T00:00:00+00:00 · 452023-01-01T00:00:00+00:00 · 192023-02-01T00:00:00+00:00 · 152023-03-01T00:00:00+00:00 · 312023-04-01T00:00:00+00:00 · 262023-05-01T00:00:00+00:00 · 292023-06-01T00:00:00+00:00 · 22023-07-01T00:00:00+00:00 · 1
2022-11-01T00:00:00+00:002023-07-01T00:00:00+00:00

Top countries

🇺🇸 United States
24
🇩🇪 Germany
8
🇬🇧 United Kingdom
7
🇨🇦 Canada
4
🇫🇷 France
4
🇧🇷 Brazil
4
🇦🇺 Australia
3
🇲🇽 Mexico
2

Top sectors

Education
10
Energy
4
Healthcare
3
Government
3
Finance
2
Food & Agriculture
1
Automotive
1
Legal
1

MITRE ATT&CK

46 techniques · 12 tactics

Tactics

CollectionCommand And ControlCredential AccessDiscoveryExecutionExfiltrationInitial AccessLateral MovementPersistencePrivilege EscalationResource DevelopmentStealth

Techniques

Detection · YARA rules

1 rule
  • Royal_Ransomware

    Detects Royal ransomware

    source: CISA AA23-061A

Recent victims

Loading…

Onion infrastructure

3 known
  • http://royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onion
  • http://royal4ezp7xrbakkus3oofjw6gszrohpodmdnfbe5e4w3og5sm7vb3qd.onion
  • http://royal4ezp7xrbakkus3oofjw6gszrohpodmdnfbe5e4w3og5sm7vb3qd.onion/api/posts/list

Source

Updated 3 years ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time Royal posts a victim.

Add Royal to your watchlist — Pro pings you within 5 minutes of any new Royal leak-site post, Telegram callout, or affiliate-rebrand inference.