Royal Ransom (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.royal_ransom (Back to overview)

Royal Ransom

VTCollection

Ransomware

References

2025-07-31 ⋅ Intrinsec ⋅ CTI Intrinsec
Shadow syndicate infrastructure illumination
AMOS BlackCat Cactus Cicada3301 Clop LockBit PLAY RansomHub Royal Ransom Silence

2025-07-24 ⋅ Bleeping Computer ⋅ Sergiu Gatlan
BlackSuit ransomware extortion sites seized in Operation Checkmate
BlackSuit Royal Ransom BlackSuit Mount Locker Royal Ransom

2025-01-14 ⋅ RedSense ⋅ Landon Rice, Marley Smith, Yelisey Bohuslavskiy
From Royal to BlackSuit
BlackSuit Royal Ransom Royal Ransom BlackSuit Royal Ransom

2024-01-04 ⋅ Arctic Wolf ⋅ Stefan Hostetler, Steven Campbell
Follow-On Extortion Campaign Targeting Victims of Akira and Royal Ransomware
Akira Royal Ransom

2023-09-12 ⋅ ⋅ ANSSI ⋅ ANSSI
FIN12: A Cybercriminal Group with Multiple Ransomware
BlackCat Cobalt Strike Conti Hive MimiKatz Nokoyawa Ransomware PLAY Royal Ransom Ryuk SystemBC

2023-07-26 ⋅ Talos ⋅ Nicole Hoffman
Incident Response trends Q2 2023: Data theft extortion rises, while healthcare is still most-targeted vertical
BianLian Clop LockBit Royal Ransom LockBit 8Base BianLian Clop LockBit Money Message Royal Ransom

2023-06-27 ⋅ SecurityIntelligence ⋅ Charlotte Hammond, Ole Villadsen
The Trickbot/Conti Crypters: Where Are They Now?
Black Basta Conti Mount Locker PhotoLoader Royal Ransom SystemBC TrickBot

2023-05-10 ⋅ Bridewell ⋅ Bridewell
Hunting for Ursnif
ISFB Royal Ransom

2023-05-09 ⋅ paloalto Netoworks: Unit42 ⋅ Anthony Galiette, Daniel Bunce, Doel Santos
Threat Assessment: Royal Ransomware
Royal Ransom Royal Ransom

2023-04-19 ⋅ Bleeping Computer ⋅ Bill Toulas
March 2023 broke ransomware attack records with 459 incidents
Clop WhiteRabbit BianLian Black Basta BlackCat LockBit Medusa PLAY Royal Ransom

2023-04-18 ⋅ Mandiant ⋅ Mandiant
M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate

2023-04-11 ⋅ Coalition ⋅ Leeann Nicolo
Security Alert: Royal Ransomware Targeting Firewalls
Royal Ransom

2023-04-03 ⋅ Trellix ⋅ Alexandre Mundo, Max Kersten
A Royal Analysis of Royal Ransom
Royal Ransom

2023-03-30 ⋅ United States District Court (Eastern District of New York) ⋅ Fortra, HEALTH-ISAC, Microsoft
Cracked Cobalt Strike (1:23-cv-02447)
Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader

2023-03-10 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
From Royal With Love
Cobalt Strike Conti PLAY Royal Ransom Somnia

2023-03-02 ⋅ CISA ⋅ CISA
#StopRansomware: Royal Ransomware
Royal Ransom Royal Ransom

2023-02-27 ⋅ PRODAFT Threat Intelligence ⋅ PRODAFT
RIG Exploit Kit: In-Depth Analysis
Dridex IcedID ISFB PureCrypter Raccoon RecordBreaker RedLine Stealer Royal Ransom Silence SmokeLoader Zloader

2023-02-20 ⋅ Trendmicro ⋅ Byron Gelera, Ivan Nicole Chavez, Nathaniel Morales
Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers
Royal Ransom Royal Ransom

2023-02-13 ⋅ Kroll ⋅ Laurie Iacono, Stephen Green
Royal Ransomware Deep Dive
Cobalt Strike Royal Ransom

2023-01-24 ⋅ ACSC ⋅ Australian Cyber Security Centre (ACSC)
2023-01: ACSC Ransomware Profile - Royal
Royal Ransom

2023-01-09 ⋅ SOCRadar ⋅ SOCRadar
Dark Web Profile: Royal Ransomware
Royal Ransom

2023-01-05 ⋅ Logpoint ⋅ Anish Bogati
A crowning achievement: Exploring the exploit of Royal ransomware
Royal Ransom

2022-12-21 ⋅ Trendmicro ⋅ Byron Gelera, Don Ovid Ladores, Ivan Nicole Chavez, Khristian Joseph Morales, Monte de Jesus
Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks
Royal Ransom

2022-12-14 ⋅ Cybereason ⋅ Alon Laufer, Eli Salem, Mark Tsipershtein
Royal Rumble: Analysis of Royal Ransomware
Royal Ransom

2022-12-13 ⋅ Avertium ⋅ Avertium
Everything You Need to Know about Royal Ransomware
Royal Ransom

2022-11-27 ⋅ SecurityScorecard ⋅ Vlad Pasca
A Technical Analysis of Royal Ransomware
Royal Ransom

2022-11-17 ⋅ Microsoft ⋅ Microsoft Security Threat Intelligence
DEV-0569 finds new ways to deliver Royal ransomware, various payloads
Royal Ransom DEV-0569

2022-11-17 ⋅ Yoroi ⋅ Carmelo Ragusa, Luigi Martire
Reconstructing the last activities of Royal Ransomware
Royal Ransom

2022-10-13 ⋅ Fortinet ⋅ James Slaughter, Shunichi Imano
Ransomware Roundup: Royal Ransomware
Royal Ransom

2022-09-29 ⋅ BleepingComputer ⋅ Lawrence Abrams
New Royal Ransomware emerges in multi-million dollar attacks
Royal Ransom

Yara Rules

[TLP:WHITE] win_royal_ransom_auto (20260504 | Detects win.royal_ransom.)

rule win_royal_ransom_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.royal_ransom."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_ransom"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 41b889000000 488d15e0541500 498bce e8???????? 33c0 488b5c2470 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   41b889000000         | inc                 ecx
            //   488d15e0541500       | lea                 ecx, [eax - 0x25]
            //   498bce               | inc                 ecx
            //   e8????????           |                     
            //   33c0                 | mov                 eax, 0x6d
            //   488b5c2470           | dec                 eax

        $sequence_1 = { b820000000 e8???????? 482be0 488bd9 448d4009 488b4918 488d15e7a80d00 }
            // n = 7, score = 100
            //   b820000000           | dec                 eax
            //   e8????????           |                     
            //   482be0               | lea                 ecx, [0x148af1]
            //   488bd9               | inc                 ebp
            //   448d4009             | xor                 eax, eax
            //   488b4918             | dec                 esp
            //   488d15e7a80d00       | lea                 eax, [0x159b13]

        $sequence_2 = { e8???????? 482be0 488bc2 488bf9 488bc8 488d1595640900 e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   482be0               | lea                 eax, [0x162537]
            //   488bc2               | dec                 eax
            //   488bf9               | lea                 ecx, [0x1624e0]
            //   488bc8               | mov                 edx, 0x15c
            //   488d1595640900       | dec                 esp
            //   e8????????           |                     

        $sequence_3 = { e9???????? 4533c0 c744243001000000 498bcf 418d5003 e8???????? 488bcd }
            // n = 7, score = 100
            //   e9????????           |                     
            //   4533c0               | jne                 0x78f
            //   c744243001000000     | dec                 esp
            //   498bcf               | lea                 eax, [0xe09ea]
            //   418d5003             | mov                 edx, 0x416
            //   e8????????           |                     
            //   488bcd               | dec                 eax

        $sequence_4 = { e8???????? 85c0 0f8486000000 488d15896f0700 488bcf e8???????? 488bf8 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | jl                  0x202b
            //   0f8486000000         | movzx               edx, byte ptr [ecx]
            //   488d15896f0700       | movzx               eax, byte ptr [ecx + 1]
            //   488bcf               | shl                 edx, 8
            //   e8????????           |                     
            //   488bf8               | or                  edx, eax

        $sequence_5 = { 7649 e8???????? 4c8d05565d1400 bab90c0000 488d0dca5c1400 e8???????? 4533c0 }
            // n = 7, score = 100
            //   7649                 | mov                 edx, 0xc0
            //   e8????????           |                     
            //   4c8d05565d1400       | dec                 eax
            //   bab90c0000           | lea                 ecx, [0x180463]
            //   488d0dca5c1400       | inc                 ebp
            //   e8????????           |                     
            //   4533c0               | xor                 eax, eax

        $sequence_6 = { ba12020000 488d0df73e1500 e8???????? ba78000000 eb6a 80bc24c000000000 0f8599000000 }
            // n = 7, score = 100
            //   ba12020000           | dec                 esp
            //   488d0df73e1500       | lea                 eax, [0x14326d]
            //   e8????????           |                     
            //   ba78000000           | mov                 edx, 0x6d
            //   eb6a                 | jmp                 0xf3
            //   80bc24c000000000     | mov                 esi, 0x10
            //   0f8599000000         | jmp                 0x175

        $sequence_7 = { e8???????? 482be0 488b05???????? 4833c4 488985c06d0000 48899c24006f0000 4889b424086f0000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   482be0               | dec                 eax
            //   488b05????????       |                     
            //   4833c4               | lea                 ecx, [0xfa530]
            //   488985c06d0000       | dec                 esp
            //   48899c24006f0000     | lea                 eax, [0xccba4]
            //   4889b424086f0000     | mov                 edx, 0x163

        $sequence_8 = { 749c 488d1515dd0900 488bcf e8???????? 488bd8 4885c0 7449 }
            // n = 7, score = 100
            //   749c                 | lea                 ecx, [ebp + 0x70]
            //   488d1515dd0900       | mov                 edx, 0x10
            //   488bcf               | dec                 eax
            //   e8????????           |                     
            //   488bd8               | lea                 ecx, [ebp + 0x60]
            //   4885c0               | mov                 edx, 0x20
            //   7449                 | dec                 ecx

        $sequence_9 = { e8???????? badd030000 4c8d05dab61200 488d0debb61200 e8???????? ba74000000 e9???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   badd030000           | dec                 eax
            //   4c8d05dab61200       | shr                 eax, 0x18
            //   488d0debb61200       | xor                 edx, eax
            //   e8????????           |                     
            //   ba74000000           | inc                 ecx
            //   e9????????           |                     

    condition:
        7 of them and filesize < 6235136
}

[TLP:WHITE] win_royal_ransom_w0 (20230131 | Code-based YARA rule composed from potentially unique basic blocks for the selected set of samples/family.)

rule win_royal_ransom_w0 {
    meta:
        author = "MCRIT YARA Generator"
        description = "Code-based YARA rule composed from potentially unique basic blocks for the selected set of samples/family."
        date = "2023-01-31"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_ransom"
        malpedia_rule_date = "20230131"
        malpedia_hash = ""
        malpedia_version = "20230131"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        // Rule generation selected 10 picblocks, covering 1/1 input sample(s).
        /* picblockhash: 0x76087cc405bd2363 - coverage: 1/1 samples.
         * 4d8bb4f620c52a00 | mov r14, qword ptr [r14 + rsi*8 + 0x2ac520]
         * 33d2             | xor edx, edx
         * 498bce           | mov rcx, r14
         * 41b800080000     | mov r8d, 0x800
         * ff1517160100     | call qword ptr [rip + 0x11617]
         * 488bd8           | mov rbx, rax
         * 4885c0           | test rax, rax
         * 754f             | jne 0x1401fae20
         */
        $blockhash_0x76087cc405bd2363 = { 4d8bb4f620c52a00 33d2 498bce 41b800080000 ff15???????? 488bd8 4885c0 75?? }

        /* picblockhash: 0xad441b53d9617a84 - coverage: 1/1 samples.
         * 4c8b05964a0d00   | mov r8, qword ptr [rip + 0xd4a96]
         * ba40000000       | mov edx, 0x40
         * 418bc8           | mov ecx, r8d
         * 83e13f           | and ecx, 0x3f
         * 2bd1             | sub edx, ecx
         * 8aca             | mov cl, dl
         * 488bd0           | mov rdx, rax
         * 48d3ca           | ror rdx, cl
         * 4933d0           | xor rdx, r8
         * 4b8794fe80312d00 | xchg qword ptr [r14 + r15*8 + 0x2d3180], rdx
         * eb2d             | jmp 0x1401faed9
         */
        $blockhash_0xad441b53d9617a84 = { 4c8b05???????? ba40000000 418bc8 83e13f 2bd1 8aca 488bd0 48d3ca 4933d0 4b8794fe80312d00 eb?? }

        /* picblockhash: 0x8a5718142d9721e2 - coverage: 1/1 samples.
         * 418bc2           | mov eax, r10d
         * b940000000       | mov ecx, 0x40
         * 83e03f           | and eax, 0x3f
         * 2bc8             | sub ecx, eax
         * 48d3cf           | ror rdi, cl
         * 4933fa           | xor rdi, r10
         * 4b87bcfe80312d00 | xchg qword ptr [r14 + r15*8 + 0x2d3180], rdi
         */
        $blockhash_0x8a5718142d9721e2 = { 418bc2 b940000000 83e03f 2bc8 48d3cf 4933fa 4b87bcfe80312d00 }

        /* picblockhash: 0x9cc1c27925f1c35f - coverage: 1/1 samples.
         * 4b8b84e7d02c2d00   | mov rax, qword ptr [r15 + r12*8 + 0x2d2cd0]
         * 4c8b45af           | mov r8, qword ptr [rbp - 0x51]
         * 4c2bc7             | sub r8, rdi
         * 420fb64cf03e       | movzx ecx, byte ptr [rax + r14*8 + 0x3e]
         * 460fbebc3960022d00 | movsx r15d, byte ptr [rcx + r15 + 0x2d0260]
         * 41ffc7             | inc r15d
         * 458bef             | mov r13d, r15d
         * 442bea             | sub r13d, edx
         * 4d63d5             | movsxd r10, r13d
         * 4d3bd0             | cmp r10, r8
         * 0f8f78020000       | jg 0x1401ffdb9
         */
        $blockhash_0x9cc1c27925f1c35f = { 4b8b84e7d02c2d00 4c8b45af 4c2bc7 420fb64cf03e 460fbebc3960022d00 41ffc7 458bef 442bea 4d63d5 4d3bd0 0f8f???????? }

        /* picblockhash: 0x826769b1e3d9c0fc - coverage: 1/1 samples.
         * 0fb607             | movzx eax, byte ptr [rdi]
         * 498bd5             | mov rdx, r13
         * 482bd7             | sub rdx, rdi
         * 4a0fbeb43860022d00 | movsx rsi, byte ptr [rax + r15 + 0x2d0260]
         * 8d4e01             | lea ecx, [rsi + 1]
         * 4863c1             | movsxd rax, ecx
         * 483bc2             | cmp rax, rdx
         * 0f8fe4010000       | jg 0x1401ffdf3
         */
        $blockhash_0x826769b1e3d9c0fc = { 0fb607 498bd5 482bd7 4a0fbeb43860022d00 8d4e01 4863c1 483bc2 0f8f???????? }

        /* picblockhash: 0x26d7edbd8d267bed - coverage: 1/1 samples.
         * 8a0437           | mov al, byte ptr [rdi + rsi]
         * ffc2             | inc edx
         * 4a8b8ce3d02c2d00 | mov rcx, qword ptr [rbx + r12*8 + 0x2d2cd0]
         * 4803ce           | add rcx, rsi
         * 48ffc6           | inc rsi
         * 428844f13e       | mov byte ptr [rcx + r14*8 + 0x3e], al
         * 4863c2           | movsxd rax, edx
         * 493bc0           | cmp rax, r8
         * 7ce0             | jl 0x1401ffdcb
         */
        $blockhash_0x26d7edbd8d267bed = { 8a0437 ffc2 4a8b8ce3d02c2d00 4803ce 48ffc6 428844f13e 4863c2 493bc0 7c?? }

        /* picblockhash: 0x11bb0000ce80b5fe - coverage: 1/1 samples.
         * 418a0438         | mov al, byte ptr [r8 + rdi]
         * 41ffc1           | inc r9d
         * 4b8b8cd7d02c2d00 | mov rcx, qword ptr [r15 + r10*8 + 0x2d2cd0]
         * 4903c8           | add rcx, r8
         * 49ffc0           | inc r8
         * 428844d93e       | mov byte ptr [rcx + r11*8 + 0x3e], al
         * 4963c1           | movsxd rax, r9d
         * 483bc2           | cmp rax, rdx
         * 7cde             | jl 0x1401ffe18
         */
        $blockhash_0x11bb0000ce80b5fe = { 418a0438 41ffc1 4b8b8cd7d02c2d00 4903c8 49ffc0 428844d93e 4963c1 483bc2 7c?? }

        /* picblockhash: 0x30abb68a1956753d - coverage: 1/1 samples.
         * 8a07             | mov al, byte ptr [rdi]
         * 4c8d05ab01e0ff   | lea r8, [rip - 0x1ffe55]
         * 4b8b8ce0d02c2d00 | mov rcx, qword ptr [r8 + r12*8 + 0x2d2cd0]
         * ffc3             | inc ebx
         * 895d9b           | mov dword ptr [rbp - 0x65], ebx
         * 428844f13e       | mov byte ptr [rcx + r14*8 + 0x3e], al
         * 4b8b84e0d02c2d00 | mov rax, qword ptr [r8 + r12*8 + 0x2d2cd0]
         * 42804cf03d04     | or byte ptr [rax + r14*8 + 0x3d], 4
         * 38558f           | cmp byte ptr [rbp - 0x71], dl
         * ebcc             | jmp 0x1401ffe46
         */
        $blockhash_0x30abb68a1956753d = { 8a07 4c8d05???????? 4b8b8ce0d02c2d00 ffc3 895d9b 428844f13e 4b8b84e0d02c2d00 42804cf03d04 38558f eb?? }

        /* picblockhash: 0x47083a9897a47573 - coverage: 1/1 samples.
         * 498bc5           | mov rax, r13
         * 4c8d0d21f6dfff   | lea r9, [rip - 0x2009df]
         * 83e03f           | and eax, 0x3f
         * 498bd5           | mov rdx, r13
         * 48c1fa06         | sar rdx, 6
         * 4c8d04c0         | lea r8, [rax + rax*8]
         * 498b84d1d02c2d00 | mov rax, qword ptr [r9 + rdx*8 + 0x2d2cd0]
         * 42f644c03848     | test byte ptr [rax + r8*8 + 0x38], 0x48
         * 7430             | je 0x140200a2d
         */
        $blockhash_0x47083a9897a47573 = { 498bc5 4c8d0d???????? 83e03f 498bd5 48c1fa06 4c8d04c0 498b84d1d02c2d00 42f644c03848 74?? }

        /* picblockhash: 0x37de2b88bfe990b6 - coverage: 1/1 samples.
         * 2bc3             | sub eax, ebx
         * 488d0d2df4dfff   | lea rcx, [rip - 0x200bd3]
         * 488b8ce9d02c2d00 | mov rcx, qword ptr [rcx + rbp*8 + 0x2d2cd0]
         * 8064f93dfd       | and byte ptr [rcx + rdi*8 + 0x3d], 0xfd
         * f7d8             | neg eax
         * 1ac0             | sbb al, al
         * 2402             | and al, 2
         * 0844f93d         | or byte ptr [rcx + rdi*8 + 0x3d], al
         * 8d0412           | lea eax, [rdx + rdx]
         */
        $blockhash_0x37de2b88bfe990b6 = { 2bc3 488d0d???????? 488b8ce9d02c2d00 8064f93dfd f7d8 1ac0 2402 0844f93d 8d0412 }

    condition:
        7 of them and filesize < 5MB
}

Download all Yara Rules

Royal Ransom Propose Change

References

Yara Rules

Royal Ransom