Hamburger Menu Icon
Yoroi Background

Reconstructing the last activities of Royal Ransomware 


Royal Ransomware is a new group first spotted on Bleeping Computer last September, where the cybersecurity news site revealed a connection with another malware known as Zeon.  

At the moment, we don’t have much information about the group and all its actual TTPs, but we know that they use the Double Extortion model to threaten the victims, as stated inside the ransom note. 

Figure 1: Ransom Note

About Royal Ransomware Group 

The Cyber intelligence community has proof that the group started its malicious activities since January, with other ransomware payloads. So, we can say they started their malicious career as affiliated with other Ransomware-as-a-Service providers. But it only the last two months, it started to apply the Double Extorsion model, with an ad-hoc website in the Dark Web. 

Figure 2: Royal Ransomware main page

During its existence, it seems that the ransomware group didn’t adopt the Ransomware-as-a-Service model to recruit other affiliates to infect victims. The reason might be that the core team wants initially to create a malicious “brand positioning” inside the threat landscape. 

Figure 3: Distribution of the Attacks

At the same time, we don’t know which toolkit is used to implement the exfiltration capability. We don’t know if the group uses some custom malware, or if it leverages public storage platforms, such as Mega, Dropbox, etc. 

Technical Analysis

We managed to obtain a recent specimen of this threat and analyzed its features and malicious capabilities, in order to create signatures and provide technical insight to better detection. 

Tha analyzed sample has the following static information: 

Hash 9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926 
Threat Royal Ransomware 
Brief Description Ransomware payload 
SSDEEP 49152:cDVwASOLGtlqrRIU6i9+vazNqQlJZP1BMU2thA8mNtNCiJlrRUFcJ7HIPcLzk+5c:wm+GaNqqJJ12vlZol8cJ7rcl 
Figure 4: Static Information about the sample

Royal Ransomware is written in C/C++ and it is launched by command line. That behavior suggests that there is a previous and totally human-operated intrusion performed by a pen-testing team, which gained access to the internal network and performed privilege escalation and lateral movement operation. 

When the executable is launched, it needs three parameters, otherwise the infection doesn't start: 

Figure 5: Parameters needed by Royal Ransomware

We constructed a table with the three parameters found inside the sample and we provide a small description of that:  

Parameter Description 
-path Specifies an exact path where to encrypt files 
-id Victim’s ID, needed to run the sample, must be 32 characters 
-ep  Encryption percentage (feature not implemented in this sample) 
Table: Parameters description

After that, the sample starts the preparation of the ransomware operation by deleting the shadow copies: 

Figure 6: Deleting Shadow Copies

Then, the malware starts the preparation for the encryption processes, by creating the lists of the elements to be excluded during the fetching of files and folders. For the files’ extensions, the exclusions are: 

Figure 7: Checking file extension

Instead, for the folders exclusion there are the following:  

windows, royal, $recycle.bin, google, perflogs, mozilla, tor browser, boot, $windows.~ws, $windows.~bt, windows.old 
Figure 8: Checking folder name 

Royal Ransomware has also the capability to infect and encrypt the shared resources inside the internal network. It uses the NetShareEnum seeking the “ADMIN$” and “IPC$” records and then, it proceeds to encrypt the files contained inside the shared folders

Figure 9: Network shares encryption

At this point, we have the encryption phase. Royal Group uses a mixture of RSA and AES algorithms. The RSA public Key is hardcoded in the sample, and it is easy to retrieve that: 

Figure 10: Public RSA Key 

In the following scheme, we highlight the encryption routine and the result of the encryption of a test file: 

Figure 11: Encryption routine 

The encryption routine is assisted by the OpenSSL library. An AES key is randomly generated and then it is protected with the RSA public key. In this way, the ransomware operator the encryption conserves the RSA private key to decrypt the original AES key and then the files could be restored. 


The market of cyber extorsion is still growing and other threat actors are riding the wave of the most infamous 2022 trend. The case Royal Ransomware Group is representative because it started by adopting the affiliation on the RaaS market, and when they reached an appropriate expertise and experience, it created an independent group with a “proprietary” ransomware payload. 

As stated, at the moment we have no proof they adopt the Ransomware-as-a-Service model, but the group is formed only by talented pen-testers and malware developers aimed at making money through the Double Extorsion model. However, this doesn't mean that in the near future the group will reach such a maturity that they will be capable of implementing the RaaS model. 

Indicators of Compromise

  • 9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926 
  • c24c59c8f4e7a581a5d45ee181151ec0a3f0b59af987eacf9b363577087c9746 
  • 5fda381a9884f7be2d57b8a290f389578a9d2f63e2ecb98bd773248a7eb99fa2 
  • 312f34ee8c7b2199a3e78b4a52bd87700cc8f3aa01aa641e5d899501cb720775 
  • 491c2b32095174b9de2fd799732a6f84878c2e23b9bb560cd3155cbdc65e2b80 
  • 2598e8adb87976abe48f0eba4bbb9a7cb69439e0c133b21aee3845dfccf3fb8f 
  • f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429 
  • 7cbfea0bff4b373a175327d6cc395f6c176dab1cedf9075e7130508bec4d5393 

Yara Rules

rule royal_ransomware {

   author = "Yoroi Malware ZLab"
   description = "Rule for Royal Ransomware"
   last_updated = "2022-11-09"
   tlp = "WHITE"
   category = "informational"

   // x32
   $1 = {8d 84 ?? ?? ?? ?? ?? 50 ff 15 ?? ?? ?? ?? 83 f8 20 74 ?? 6a 00 ff 15 ?? ?? ?? ??}
   $2 = {68 ?? ?? ?? ?? ff 30 89 44 ?4 20 ff 15 ?? ?? ?? ?? 85 c0 75 ?? 8b 44 ?4 10 46 8b 0c b0 89 4c ?4 1c e9 ?? ?? ?? ?? 8b 44 ?4 18 68 ?? ?? ?? ?? ff 30 ff 15 ?? ?? ?? ??}
   // x64
   $3 = {4? 8d ?? ?? ?? ?? ?? ff 15 ?? ?? ?? ?? 83 f8 20 74 ?? 33 c9 ff 15 ?? ?? ?? ??}
   $4 = { 4? 8d 15 ?? ?? ?? ?? ff 15 ?? ?? ?? ?? 85 c0 75 ?? 4? 8b 7b 08 ff c6 4? 83 c3 08 e9 ?? ?? ?? ?? 4? 8b 0b 4? 8d 15 ?? ?? ?? ?? ff 15 ?? ?? ?? ??}

    (($1 and $2) or ($3 and $4)) and uint16(0) == 0x5A4D

This blog post was authored by Luigi Martire, Carmelo Ragusa of Yoroi Malware ZLAB

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram