Royal Ransom (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.royal_ransom (Back to overview)

Royal Ransom

VTCollection

Ransomware

References

2024-01-04 ⋅ Arctic Wolf ⋅ Stefan Hostetler, Steven Campbell
Follow-On Extortion Campaign Targeting Victims of Akira and Royal Ransomware
Akira Royal Ransom

2023-09-12 ⋅ ⋅ ANSSI ⋅ ANSSI
FIN12: A Cybercriminal Group with Multiple Ransomware
BlackCat Cobalt Strike Conti Hive MimiKatz Nokoyawa Ransomware PLAY Royal Ransom Ryuk SystemBC

2023-07-26 ⋅ Talos ⋅ Nicole Hoffman
Incident Response trends Q2 2023: Data theft extortion rises, while healthcare is still most-targeted vertical
BianLian Clop LockBit Royal Ransom LockBit 8Base BianLian Clop LockBit Money Message Royal Ransom

2023-06-27 ⋅ SecurityIntelligence ⋅ Charlotte Hammond, Ole Villadsen
The Trickbot/Conti Crypters: Where Are They Now?
Black Basta Conti Mount Locker PhotoLoader Royal Ransom SystemBC TrickBot

2023-05-10 ⋅ Bridewell ⋅ Bridewell
Hunting for Ursnif
ISFB Royal Ransom

2023-05-09 ⋅ paloalto Netoworks: Unit42 ⋅ Anthony Galiette, Daniel Bunce, Doel Santos
Threat Assessment: Royal Ransomware
Royal Ransom Royal Ransom

2023-04-19 ⋅ Bleeping Computer ⋅ Bill Toulas
March 2023 broke ransomware attack records with 459 incidents
Clop WhiteRabbit BianLian Black Basta BlackCat LockBit MedusaLocker PLAY Royal Ransom

2023-04-18 ⋅ Mandiant ⋅ Mandiant
M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate

2023-04-11 ⋅ Coalition ⋅ Leeann Nicolo
Security Alert: Royal Ransomware Targeting Firewalls
Royal Ransom

2023-04-03 ⋅ Trellix ⋅ Alexandre Mundo, Max Kersten
A Royal Analysis of Royal Ransom
Royal Ransom

2023-03-30 ⋅ United States District Court (Eastern District of New York) ⋅ Fortra, HEALTH-ISAC, Microsoft
Cracked Cobalt Strike (1:23-cv-02447)
Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader

2023-03-10 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
From Royal With Love
Cobalt Strike Conti PLAY Royal Ransom Somnia

2023-03-02 ⋅ CISA ⋅ CISA
#StopRansomware: Royal Ransomware
Royal Ransom Royal Ransom

2023-02-27 ⋅ PRODAFT Threat Intelligence ⋅ PRODAFT
RIG Exploit Kit: In-Depth Analysis
Dridex IcedID ISFB PureCrypter Raccoon RecordBreaker RedLine Stealer Royal Ransom Silence SmokeLoader Zloader

2023-02-20 ⋅ Trendmicro ⋅ Byron Gelera, Ivan Nicole Chavez, Nathaniel Morales
Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers
Royal Ransom Royal Ransom

2023-02-13 ⋅ Kroll ⋅ Laurie Iacono, Stephen Green
Royal Ransomware Deep Dive
Cobalt Strike Royal Ransom

2023-01-24 ⋅ ACSC ⋅ Australian Cyber Security Centre (ACSC)
2023-01: ACSC Ransomware Profile - Royal
Royal Ransom

2023-01-09 ⋅ SOCRadar ⋅ SOCRadar
Dark Web Profile: Royal Ransomware
Royal Ransom

2023-01-05 ⋅ Logpoint ⋅ Anish Bogati
A crowning achievement: Exploring the exploit of Royal ransomware
Royal Ransom

2022-12-21 ⋅ Trendmicro ⋅ Byron Gelera, Don Ovid Ladores, Ivan Nicole Chavez, Khristian Joseph Morales, Monte de Jesus
Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks
Royal Ransom

2022-12-14 ⋅ Cybereason ⋅ Alon Laufer, Eli Salem, Mark Tsipershtein
Royal Rumble: Analysis of Royal Ransomware
Royal Ransom

2022-12-13 ⋅ Avertium ⋅ Avertium
Everything You Need to Know about Royal Ransomware
Royal Ransom

2022-11-27 ⋅ SecurityScorecard ⋅ Vlad Pasca
A Technical Analysis of Royal Ransomware
Royal Ransom

2022-11-17 ⋅ Microsoft ⋅ Microsoft Security Threat Intelligence
DEV-0569 finds new ways to deliver Royal ransomware, various payloads
Royal Ransom DEV-0569

2022-11-17 ⋅ Yoroi ⋅ Carmelo Ragusa, Luigi Martire
Reconstructing the last activities of Royal Ransomware
Royal Ransom

2022-10-13 ⋅ Fortinet ⋅ James Slaughter, Shunichi Imano
Ransomware Roundup: Royal Ransomware
Royal Ransom

2022-09-29 ⋅ BleepingComputer ⋅ Lawrence Abrams
New Royal Ransomware emerges in multi-million dollar attacks
Royal Ransom

Yara Rules

[TLP:WHITE] win_royal_ransom_auto (20241030 | Detects win.royal_ransom.)

rule win_royal_ransom_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.royal_ransom."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_ransom"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bd0 488d0de62fe4ff 488d05cf33e3ff 488903 e9???????? 428d14cd00000000 498bca }
            // n = 7, score = 100
            //   8bd0                 | dec                 eax
            //   488d0de62fe4ff       | mov                 eax, dword ptr [esp + 0x30]
            //   488d05cf33e3ff       | dec                 esp
            //   488903               | lea                 eax, [0x14b191]
            //   e9????????           |                     
            //   428d14cd00000000     | mov                 edx, 0x4d2
            //   498bca               | dec                 eax

        $sequence_1 = { b820000000 e8???????? 482be0 488bca e8???????? 488bc8 488d15a73d0800 }
            // n = 7, score = 100
            //   b820000000           | mov                 ecx, edi
            //   e8????????           |                     
            //   482be0               | test                eax, eax
            //   488bca               | je                  0xc2c
            //   e8????????           |                     
            //   488bc8               | dec                 eax
            //   488d15a73d0800       | lea                 edx, [0xb5d18]

        $sequence_2 = { 85c0 742c 488b0d???????? 488d15b5220100 e8???????? 85c0 7415 }
            // n = 7, score = 100
            //   85c0                 | dec                 eax
            //   742c                 | mov                 ecx, ebp
            //   488b0d????????       |                     
            //   488d15b5220100       | dec                 eax
            //   e8????????           |                     
            //   85c0                 | mov                 ecx, ebp
            //   7415                 | test                eax, eax

        $sequence_3 = { 85c0 7506 448d7001 eb2e e8???????? 4c8d05a59f0d00 bab4010000 }
            // n = 7, score = 100
            //   85c0                 | mov                 edi, eax
            //   7506                 | dec                 eax
            //   448d7001             | test                eax, eax
            //   eb2e                 | je                  0xa8e
            //   e8????????           |                     
            //   4c8d05a59f0d00       | inc                 ecx
            //   bab4010000           | mov                 eax, 0x10

        $sequence_4 = { e8???????? 837f1400 4c8d05cfc01700 488b0f 488b5728 740d 41b9e7000000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   837f1400             | inc                 ecx
            //   4c8d05cfc01700       | lea                 ecx, [eax + 0x22]
            //   488b0f               | xor                 edi, edi
            //   488b5728             | dec                 esp
            //   740d                 | lea                 eax, [0x12c5b1]
            //   41b9e7000000         | mov                 edx, 0x23a

        $sequence_5 = { 8d4a8e e8???????? 488b4b20 e8???????? 41b8e1010000 488d155ddf0e00 488bcb }
            // n = 7, score = 100
            //   8d4a8e               | lea                 eax, [0xe1dca]
            //   e8????????           |                     
            //   488b4b20             | mov                 edx, 0x585
            //   e8????????           |                     
            //   41b8e1010000         | dec                 eax
            //   488d155ddf0e00       | lea                 ecx, [0xe0f8e]
            //   488bcb               | inc                 ebp

        $sequence_6 = { eb33 498bc4 eb4f e8???????? 4c8d058fc01400 ba1c010000 488d0d13c01400 }
            // n = 7, score = 100
            //   eb33                 | inc                 edx
            //   498bc4               | mov                 cl, byte ptr [ecx + ebx + 0x2a8c58]
            //   eb4f                 | dec                 eax
            //   e8????????           |                     
            //   4c8d058fc01400       | sub                 edx, eax
            //   ba1c010000           | mov                 eax, dword ptr [edx - 4]
            //   488d0d13c01400       | dec                 esp

        $sequence_7 = { 7525 e8???????? 4c8d0545051600 baa4060000 488bcb e8???????? baab000000 }
            // n = 7, score = 100
            //   7525                 | ret                 
            //   e8????????           |                     
            //   4c8d0545051600       | dec                 eax
            //   baa4060000           | lea                 edx, [0xa0504]
            //   488bcb               | dec                 eax
            //   e8????????           |                     
            //   baab000000           | mov                 ecx, edi

        $sequence_8 = { e8???????? 8b4730 4c8d057fcd1500 448b4b08 8d4eff 89442428 ba0c010800 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b4730               | je                  0xbe4
            //   4c8d057fcd1500       | movups              xmm0, xmmword ptr [ebx]
            //   448b4b08             | inc                 ecx
            //   8d4eff               | mov                 eax, 0x50
            //   89442428             | dec                 eax
            //   ba0c010800           | lea                 edx, [0xf8bc3]

        $sequence_9 = { e8???????? 4c8d05cb5a0f00 baab010000 488d0d2f5a0f00 e8???????? 4533c0 418d4e06 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4c8d05cb5a0f00       | jmp                 0xdcd
            //   baab010000           | dec                 eax
            //   488d0d2f5a0f00       | mov                 eax, dword ptr [edx]
            //   e8????????           |                     
            //   4533c0               | inc                 ecx
            //   418d4e06             | mov                 ecx, dword ptr [eax + eax*4 + 0x90f60]

    condition:
        7 of them and filesize < 6235136
}

[TLP:WHITE] win_royal_ransom_w0 (20230131 | Code-based YARA rule composed from potentially unique basic blocks for the selected set of samples/family.)

rule win_royal_ransom_w0 {
    meta:
        author = "MCRIT YARA Generator"
        description = "Code-based YARA rule composed from potentially unique basic blocks for the selected set of samples/family."
        date = "2023-01-31"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_ransom"
        malpedia_rule_date = "20230131"
        malpedia_hash = ""
        malpedia_version = "20230131"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        // Rule generation selected 10 picblocks, covering 1/1 input sample(s).
        /* picblockhash: 0x76087cc405bd2363 - coverage: 1/1 samples.
         * 4d8bb4f620c52a00 | mov r14, qword ptr [r14 + rsi*8 + 0x2ac520]
         * 33d2             | xor edx, edx
         * 498bce           | mov rcx, r14
         * 41b800080000     | mov r8d, 0x800
         * ff1517160100     | call qword ptr [rip + 0x11617]
         * 488bd8           | mov rbx, rax
         * 4885c0           | test rax, rax
         * 754f             | jne 0x1401fae20
         */
        $blockhash_0x76087cc405bd2363 = { 4d8bb4f620c52a00 33d2 498bce 41b800080000 ff15???????? 488bd8 4885c0 75?? }

        /* picblockhash: 0xad441b53d9617a84 - coverage: 1/1 samples.
         * 4c8b05964a0d00   | mov r8, qword ptr [rip + 0xd4a96]
         * ba40000000       | mov edx, 0x40
         * 418bc8           | mov ecx, r8d
         * 83e13f           | and ecx, 0x3f
         * 2bd1             | sub edx, ecx
         * 8aca             | mov cl, dl
         * 488bd0           | mov rdx, rax
         * 48d3ca           | ror rdx, cl
         * 4933d0           | xor rdx, r8
         * 4b8794fe80312d00 | xchg qword ptr [r14 + r15*8 + 0x2d3180], rdx
         * eb2d             | jmp 0x1401faed9
         */
        $blockhash_0xad441b53d9617a84 = { 4c8b05???????? ba40000000 418bc8 83e13f 2bd1 8aca 488bd0 48d3ca 4933d0 4b8794fe80312d00 eb?? }

        /* picblockhash: 0x8a5718142d9721e2 - coverage: 1/1 samples.
         * 418bc2           | mov eax, r10d
         * b940000000       | mov ecx, 0x40
         * 83e03f           | and eax, 0x3f
         * 2bc8             | sub ecx, eax
         * 48d3cf           | ror rdi, cl
         * 4933fa           | xor rdi, r10
         * 4b87bcfe80312d00 | xchg qword ptr [r14 + r15*8 + 0x2d3180], rdi
         */
        $blockhash_0x8a5718142d9721e2 = { 418bc2 b940000000 83e03f 2bc8 48d3cf 4933fa 4b87bcfe80312d00 }

        /* picblockhash: 0x9cc1c27925f1c35f - coverage: 1/1 samples.
         * 4b8b84e7d02c2d00   | mov rax, qword ptr [r15 + r12*8 + 0x2d2cd0]
         * 4c8b45af           | mov r8, qword ptr [rbp - 0x51]
         * 4c2bc7             | sub r8, rdi
         * 420fb64cf03e       | movzx ecx, byte ptr [rax + r14*8 + 0x3e]
         * 460fbebc3960022d00 | movsx r15d, byte ptr [rcx + r15 + 0x2d0260]
         * 41ffc7             | inc r15d
         * 458bef             | mov r13d, r15d
         * 442bea             | sub r13d, edx
         * 4d63d5             | movsxd r10, r13d
         * 4d3bd0             | cmp r10, r8
         * 0f8f78020000       | jg 0x1401ffdb9
         */
        $blockhash_0x9cc1c27925f1c35f = { 4b8b84e7d02c2d00 4c8b45af 4c2bc7 420fb64cf03e 460fbebc3960022d00 41ffc7 458bef 442bea 4d63d5 4d3bd0 0f8f???????? }

        /* picblockhash: 0x826769b1e3d9c0fc - coverage: 1/1 samples.
         * 0fb607             | movzx eax, byte ptr [rdi]
         * 498bd5             | mov rdx, r13
         * 482bd7             | sub rdx, rdi
         * 4a0fbeb43860022d00 | movsx rsi, byte ptr [rax + r15 + 0x2d0260]
         * 8d4e01             | lea ecx, [rsi + 1]
         * 4863c1             | movsxd rax, ecx
         * 483bc2             | cmp rax, rdx
         * 0f8fe4010000       | jg 0x1401ffdf3
         */
        $blockhash_0x826769b1e3d9c0fc = { 0fb607 498bd5 482bd7 4a0fbeb43860022d00 8d4e01 4863c1 483bc2 0f8f???????? }

        /* picblockhash: 0x26d7edbd8d267bed - coverage: 1/1 samples.
         * 8a0437           | mov al, byte ptr [rdi + rsi]
         * ffc2             | inc edx
         * 4a8b8ce3d02c2d00 | mov rcx, qword ptr [rbx + r12*8 + 0x2d2cd0]
         * 4803ce           | add rcx, rsi
         * 48ffc6           | inc rsi
         * 428844f13e       | mov byte ptr [rcx + r14*8 + 0x3e], al
         * 4863c2           | movsxd rax, edx
         * 493bc0           | cmp rax, r8
         * 7ce0             | jl 0x1401ffdcb
         */
        $blockhash_0x26d7edbd8d267bed = { 8a0437 ffc2 4a8b8ce3d02c2d00 4803ce 48ffc6 428844f13e 4863c2 493bc0 7c?? }

        /* picblockhash: 0x11bb0000ce80b5fe - coverage: 1/1 samples.
         * 418a0438         | mov al, byte ptr [r8 + rdi]
         * 41ffc1           | inc r9d
         * 4b8b8cd7d02c2d00 | mov rcx, qword ptr [r15 + r10*8 + 0x2d2cd0]
         * 4903c8           | add rcx, r8
         * 49ffc0           | inc r8
         * 428844d93e       | mov byte ptr [rcx + r11*8 + 0x3e], al
         * 4963c1           | movsxd rax, r9d
         * 483bc2           | cmp rax, rdx
         * 7cde             | jl 0x1401ffe18
         */
        $blockhash_0x11bb0000ce80b5fe = { 418a0438 41ffc1 4b8b8cd7d02c2d00 4903c8 49ffc0 428844d93e 4963c1 483bc2 7c?? }

        /* picblockhash: 0x30abb68a1956753d - coverage: 1/1 samples.
         * 8a07             | mov al, byte ptr [rdi]
         * 4c8d05ab01e0ff   | lea r8, [rip - 0x1ffe55]
         * 4b8b8ce0d02c2d00 | mov rcx, qword ptr [r8 + r12*8 + 0x2d2cd0]
         * ffc3             | inc ebx
         * 895d9b           | mov dword ptr [rbp - 0x65], ebx
         * 428844f13e       | mov byte ptr [rcx + r14*8 + 0x3e], al
         * 4b8b84e0d02c2d00 | mov rax, qword ptr [r8 + r12*8 + 0x2d2cd0]
         * 42804cf03d04     | or byte ptr [rax + r14*8 + 0x3d], 4
         * 38558f           | cmp byte ptr [rbp - 0x71], dl
         * ebcc             | jmp 0x1401ffe46
         */
        $blockhash_0x30abb68a1956753d = { 8a07 4c8d05???????? 4b8b8ce0d02c2d00 ffc3 895d9b 428844f13e 4b8b84e0d02c2d00 42804cf03d04 38558f eb?? }

        /* picblockhash: 0x47083a9897a47573 - coverage: 1/1 samples.
         * 498bc5           | mov rax, r13
         * 4c8d0d21f6dfff   | lea r9, [rip - 0x2009df]
         * 83e03f           | and eax, 0x3f
         * 498bd5           | mov rdx, r13
         * 48c1fa06         | sar rdx, 6
         * 4c8d04c0         | lea r8, [rax + rax*8]
         * 498b84d1d02c2d00 | mov rax, qword ptr [r9 + rdx*8 + 0x2d2cd0]
         * 42f644c03848     | test byte ptr [rax + r8*8 + 0x38], 0x48
         * 7430             | je 0x140200a2d
         */
        $blockhash_0x47083a9897a47573 = { 498bc5 4c8d0d???????? 83e03f 498bd5 48c1fa06 4c8d04c0 498b84d1d02c2d00 42f644c03848 74?? }

        /* picblockhash: 0x37de2b88bfe990b6 - coverage: 1/1 samples.
         * 2bc3             | sub eax, ebx
         * 488d0d2df4dfff   | lea rcx, [rip - 0x200bd3]
         * 488b8ce9d02c2d00 | mov rcx, qword ptr [rcx + rbp*8 + 0x2d2cd0]
         * 8064f93dfd       | and byte ptr [rcx + rdi*8 + 0x3d], 0xfd
         * f7d8             | neg eax
         * 1ac0             | sbb al, al
         * 2402             | and al, 2
         * 0844f93d         | or byte ptr [rcx + rdi*8 + 0x3d], al
         * 8d0412           | lea eax, [rdx + rdx]
         */
        $blockhash_0x37de2b88bfe990b6 = { 2bc3 488d0d???????? 488b8ce9d02c2d00 8064f93dfd f7d8 1ac0 2402 0844f93d 8d0412 }

    condition:
        7 of them and filesize < 5MB
}

Download all Yara Rules

Royal Ransom Propose Change

References

Yara Rules

Royal Ransom