SYMBOLCOMMON_NAMEaka. SYNONYMS
win.royal_ransom (Back to overview)

Royal Ransom


Ransomware

References
2023-03-10Medium walmartglobaltechJason Reaves, Joshua Platt
@online{reaves:20230310:from:6bceb30, author = {Jason Reaves and Joshua Platt}, title = {{From Royal With Love}}, date = {2023-03-10}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65}, language = {English}, urldate = {2023-03-13} } From Royal With Love
Cobalt Strike Conti PLAY Royal Ransom Somnia
2023-03-02CISACISA
@online{cisa:20230302:stopransomware:09958a9, author = {CISA}, title = {{#StopRansomware: Royal Ransomware}}, date = {2023-03-02}, organization = {CISA}, url = {https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a}, language = {English}, urldate = {2023-03-04} } #StopRansomware: Royal Ransomware
Royal Ransom
2023-02-20TrendmicroNathaniel Morales, Ivan Nicole Chavez, Byron Gelera
@online{morales:20230220:royal:36bcea3, author = {Nathaniel Morales and Ivan Nicole Chavez and Byron Gelera}, title = {{Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers}}, date = {2023-02-20}, organization = {Trendmicro}, url = {https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html}, language = {English}, urldate = {2023-03-04} } Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers
Royal Ransom
2023-01-24ACSCAustralian Cyber Security Centre (ACSC)
@online{acsc:20230124:202301:0fa06a3, author = {Australian Cyber Security Centre (ACSC)}, title = {{2023-01: ACSC Ransomware Profile - Royal}}, date = {2023-01-24}, organization = {ACSC}, url = {https://www.cyber.gov.au/acsc/view-all-content/advisories/2023-01-acsc-ransomware-profile-royal}, language = {English}, urldate = {2023-03-04} } 2023-01: ACSC Ransomware Profile - Royal
Royal Ransom
2023-01-09SOCRadarSOCRadar
@online{socradar:20230109:dark:c166fac, author = {SOCRadar}, title = {{Dark Web Profile: Royal Ransomware}}, date = {2023-01-09}, organization = {SOCRadar}, url = {https://socradar.io/dark-web-profile-royal-ransomware/}, language = {English}, urldate = {2023-01-16} } Dark Web Profile: Royal Ransomware
Royal Ransom
2023-01-05LogpointAnish Bogati
@online{bogati:20230105:crowning:ee8f347, author = {Anish Bogati}, title = {{A crowning achievement: Exploring the exploit of Royal ransomware}}, date = {2023-01-05}, organization = {Logpoint}, url = {https://www.logpoint.com/en/blog/exploring-the-exploit-of-royal-ransomware/}, language = {English}, urldate = {2023-01-06} } A crowning achievement: Exploring the exploit of Royal ransomware
Royal Ransom
2022-12-21TrendmicroIvan Nicole Chavez, Byron Gelera, Monte de Jesus, Don Ovid Ladores, Khristian Joseph Morales
@online{chavez:20221221:conti:d755947, author = {Ivan Nicole Chavez and Byron Gelera and Monte de Jesus and Don Ovid Ladores and Khristian Joseph Morales}, title = {{Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks}}, date = {2022-12-21}, organization = {Trendmicro}, url = {https://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html}, language = {English}, urldate = {2022-12-24} } Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks
Royal Ransom
2022-12-14CybereasonEli Salem, Alon Laufer, Mark Tsipershtein
@online{salem:20221214:royal:c5960bd, author = {Eli Salem and Alon Laufer and Mark Tsipershtein}, title = {{Royal Rumble: Analysis of Royal Ransomware}}, date = {2022-12-14}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/royal-ransomware-analysis}, language = {English}, urldate = {2022-12-15} } Royal Rumble: Analysis of Royal Ransomware
Royal Ransom
2022-12-13AvertiumAvertium
@online{avertium:20221213:everything:7b69285, author = {Avertium}, title = {{Everything You Need to Know about Royal Ransomware}}, date = {2022-12-13}, organization = {Avertium}, url = {https://www.avertium.com/resources/threat-reports/everything-you-need-to-know-about-royal-ransomware}, language = {English}, urldate = {2022-12-24} } Everything You Need to Know about Royal Ransomware
Royal Ransom
2022-11-27SecurityScorecardVlad Pasca
@online{pasca:20221127:technical:c2326cf, author = {Vlad Pasca}, title = {{A Technical Analysis of Royal Ransomware}}, date = {2022-11-27}, organization = {SecurityScorecard}, url = {https://securityscorecard.pathfactory.com/research/the-royal-ransomware}, language = {English}, urldate = {2022-11-28} } A Technical Analysis of Royal Ransomware
Royal Ransom
2022-11-17MicrosoftMicrosoft Security Threat Intelligence
@online{intelligence:20221117:dev0569:86675d7, author = {Microsoft Security Threat Intelligence}, title = {{DEV-0569 finds new ways to deliver Royal ransomware, various payloads}}, date = {2022-11-17}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/}, language = {English}, urldate = {2023-01-05} } DEV-0569 finds new ways to deliver Royal ransomware, various payloads
Royal Ransom
2022-11-17YoroiLuigi Martire, Carmelo Ragusa
@online{martire:20221117:reconstructing:5b546b1, author = {Luigi Martire and Carmelo Ragusa}, title = {{Reconstructing the last activities of Royal Ransomware}}, date = {2022-11-17}, organization = {Yoroi}, url = {https://yoroi.company/research/reconstructing-the-last-activities-of-royal-ransomware/}, language = {English}, urldate = {2022-11-18} } Reconstructing the last activities of Royal Ransomware
Royal Ransom
2022-10-13FortinetShunichi Imano, James Slaughter
@online{imano:20221013:ransomware:d68098e, author = {Shunichi Imano and James Slaughter}, title = {{Ransomware Roundup: Royal Ransomware}}, date = {2022-10-13}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/ransomware-roundup-royal-ransomware}, language = {English}, urldate = {2022-10-25} } Ransomware Roundup: Royal Ransomware
Royal Ransom
2022-09-29BleepingComputerLawrence Abrams
@online{abrams:20220929:new:6e43d69, author = {Lawrence Abrams}, title = {{New Royal Ransomware emerges in multi-million dollar attacks}}, date = {2022-09-29}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/new-royal-ransomware-emerges-in-multi-million-dollar-attacks/}, language = {English}, urldate = {2022-11-03} } New Royal Ransomware emerges in multi-million dollar attacks
Royal Ransom
Yara Rules
[TLP:WHITE] win_royal_ransom_w0 (20230131 | Code-based YARA rule composed from potentially unique basic blocks for the selected set of samples/family.)
rule win_royal_ransom_w0 {
    meta:
        author = "MCRIT YARA Generator"
        description = "Code-based YARA rule composed from potentially unique basic blocks for the selected set of samples/family."
        date = "2023-01-31"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_ransom"
        malpedia_rule_date = "20230131"
        malpedia_hash = ""
        malpedia_version = "20230131"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        // Rule generation selected 10 picblocks, covering 1/1 input sample(s).
        /* picblockhash: 0x76087cc405bd2363 - coverage: 1/1 samples.
         * 4d8bb4f620c52a00 | mov r14, qword ptr [r14 + rsi*8 + 0x2ac520]
         * 33d2             | xor edx, edx
         * 498bce           | mov rcx, r14
         * 41b800080000     | mov r8d, 0x800
         * ff1517160100     | call qword ptr [rip + 0x11617]
         * 488bd8           | mov rbx, rax
         * 4885c0           | test rax, rax
         * 754f             | jne 0x1401fae20
         */
        $blockhash_0x76087cc405bd2363 = { 4d8bb4f620c52a00 33d2 498bce 41b800080000 ff15???????? 488bd8 4885c0 75?? }

        /* picblockhash: 0xad441b53d9617a84 - coverage: 1/1 samples.
         * 4c8b05964a0d00   | mov r8, qword ptr [rip + 0xd4a96]
         * ba40000000       | mov edx, 0x40
         * 418bc8           | mov ecx, r8d
         * 83e13f           | and ecx, 0x3f
         * 2bd1             | sub edx, ecx
         * 8aca             | mov cl, dl
         * 488bd0           | mov rdx, rax
         * 48d3ca           | ror rdx, cl
         * 4933d0           | xor rdx, r8
         * 4b8794fe80312d00 | xchg qword ptr [r14 + r15*8 + 0x2d3180], rdx
         * eb2d             | jmp 0x1401faed9
         */
        $blockhash_0xad441b53d9617a84 = { 4c8b05???????? ba40000000 418bc8 83e13f 2bd1 8aca 488bd0 48d3ca 4933d0 4b8794fe80312d00 eb?? }

        /* picblockhash: 0x8a5718142d9721e2 - coverage: 1/1 samples.
         * 418bc2           | mov eax, r10d
         * b940000000       | mov ecx, 0x40
         * 83e03f           | and eax, 0x3f
         * 2bc8             | sub ecx, eax
         * 48d3cf           | ror rdi, cl
         * 4933fa           | xor rdi, r10
         * 4b87bcfe80312d00 | xchg qword ptr [r14 + r15*8 + 0x2d3180], rdi
         */
        $blockhash_0x8a5718142d9721e2 = { 418bc2 b940000000 83e03f 2bc8 48d3cf 4933fa 4b87bcfe80312d00 }

        /* picblockhash: 0x9cc1c27925f1c35f - coverage: 1/1 samples.
         * 4b8b84e7d02c2d00   | mov rax, qword ptr [r15 + r12*8 + 0x2d2cd0]
         * 4c8b45af           | mov r8, qword ptr [rbp - 0x51]
         * 4c2bc7             | sub r8, rdi
         * 420fb64cf03e       | movzx ecx, byte ptr [rax + r14*8 + 0x3e]
         * 460fbebc3960022d00 | movsx r15d, byte ptr [rcx + r15 + 0x2d0260]
         * 41ffc7             | inc r15d
         * 458bef             | mov r13d, r15d
         * 442bea             | sub r13d, edx
         * 4d63d5             | movsxd r10, r13d
         * 4d3bd0             | cmp r10, r8
         * 0f8f78020000       | jg 0x1401ffdb9
         */
        $blockhash_0x9cc1c27925f1c35f = { 4b8b84e7d02c2d00 4c8b45af 4c2bc7 420fb64cf03e 460fbebc3960022d00 41ffc7 458bef 442bea 4d63d5 4d3bd0 0f8f???????? }

        /* picblockhash: 0x826769b1e3d9c0fc - coverage: 1/1 samples.
         * 0fb607             | movzx eax, byte ptr [rdi]
         * 498bd5             | mov rdx, r13
         * 482bd7             | sub rdx, rdi
         * 4a0fbeb43860022d00 | movsx rsi, byte ptr [rax + r15 + 0x2d0260]
         * 8d4e01             | lea ecx, [rsi + 1]
         * 4863c1             | movsxd rax, ecx
         * 483bc2             | cmp rax, rdx
         * 0f8fe4010000       | jg 0x1401ffdf3
         */
        $blockhash_0x826769b1e3d9c0fc = { 0fb607 498bd5 482bd7 4a0fbeb43860022d00 8d4e01 4863c1 483bc2 0f8f???????? }

        /* picblockhash: 0x26d7edbd8d267bed - coverage: 1/1 samples.
         * 8a0437           | mov al, byte ptr [rdi + rsi]
         * ffc2             | inc edx
         * 4a8b8ce3d02c2d00 | mov rcx, qword ptr [rbx + r12*8 + 0x2d2cd0]
         * 4803ce           | add rcx, rsi
         * 48ffc6           | inc rsi
         * 428844f13e       | mov byte ptr [rcx + r14*8 + 0x3e], al
         * 4863c2           | movsxd rax, edx
         * 493bc0           | cmp rax, r8
         * 7ce0             | jl 0x1401ffdcb
         */
        $blockhash_0x26d7edbd8d267bed = { 8a0437 ffc2 4a8b8ce3d02c2d00 4803ce 48ffc6 428844f13e 4863c2 493bc0 7c?? }

        /* picblockhash: 0x11bb0000ce80b5fe - coverage: 1/1 samples.
         * 418a0438         | mov al, byte ptr [r8 + rdi]
         * 41ffc1           | inc r9d
         * 4b8b8cd7d02c2d00 | mov rcx, qword ptr [r15 + r10*8 + 0x2d2cd0]
         * 4903c8           | add rcx, r8
         * 49ffc0           | inc r8
         * 428844d93e       | mov byte ptr [rcx + r11*8 + 0x3e], al
         * 4963c1           | movsxd rax, r9d
         * 483bc2           | cmp rax, rdx
         * 7cde             | jl 0x1401ffe18
         */
        $blockhash_0x11bb0000ce80b5fe = { 418a0438 41ffc1 4b8b8cd7d02c2d00 4903c8 49ffc0 428844d93e 4963c1 483bc2 7c?? }

        /* picblockhash: 0x30abb68a1956753d - coverage: 1/1 samples.
         * 8a07             | mov al, byte ptr [rdi]
         * 4c8d05ab01e0ff   | lea r8, [rip - 0x1ffe55]
         * 4b8b8ce0d02c2d00 | mov rcx, qword ptr [r8 + r12*8 + 0x2d2cd0]
         * ffc3             | inc ebx
         * 895d9b           | mov dword ptr [rbp - 0x65], ebx
         * 428844f13e       | mov byte ptr [rcx + r14*8 + 0x3e], al
         * 4b8b84e0d02c2d00 | mov rax, qword ptr [r8 + r12*8 + 0x2d2cd0]
         * 42804cf03d04     | or byte ptr [rax + r14*8 + 0x3d], 4
         * 38558f           | cmp byte ptr [rbp - 0x71], dl
         * ebcc             | jmp 0x1401ffe46
         */
        $blockhash_0x30abb68a1956753d = { 8a07 4c8d05???????? 4b8b8ce0d02c2d00 ffc3 895d9b 428844f13e 4b8b84e0d02c2d00 42804cf03d04 38558f eb?? }

        /* picblockhash: 0x47083a9897a47573 - coverage: 1/1 samples.
         * 498bc5           | mov rax, r13
         * 4c8d0d21f6dfff   | lea r9, [rip - 0x2009df]
         * 83e03f           | and eax, 0x3f
         * 498bd5           | mov rdx, r13
         * 48c1fa06         | sar rdx, 6
         * 4c8d04c0         | lea r8, [rax + rax*8]
         * 498b84d1d02c2d00 | mov rax, qword ptr [r9 + rdx*8 + 0x2d2cd0]
         * 42f644c03848     | test byte ptr [rax + r8*8 + 0x38], 0x48
         * 7430             | je 0x140200a2d
         */
        $blockhash_0x47083a9897a47573 = { 498bc5 4c8d0d???????? 83e03f 498bd5 48c1fa06 4c8d04c0 498b84d1d02c2d00 42f644c03848 74?? }

        /* picblockhash: 0x37de2b88bfe990b6 - coverage: 1/1 samples.
         * 2bc3             | sub eax, ebx
         * 488d0d2df4dfff   | lea rcx, [rip - 0x200bd3]
         * 488b8ce9d02c2d00 | mov rcx, qword ptr [rcx + rbp*8 + 0x2d2cd0]
         * 8064f93dfd       | and byte ptr [rcx + rdi*8 + 0x3d], 0xfd
         * f7d8             | neg eax
         * 1ac0             | sbb al, al
         * 2402             | and al, 2
         * 0844f93d         | or byte ptr [rcx + rdi*8 + 0x3d], al
         * 8d0412           | lea eax, [rdx + rdx]
         */
        $blockhash_0x37de2b88bfe990b6 = { 2bc3 488d0d???????? 488b8ce9d02c2d00 8064f93dfd f7d8 1ac0 2402 0844f93d 8d0412 }

    condition:
        7 of them and filesize < 5MB
}
Download all Yara Rules