Royal Ransom (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.royal_ransom (Back to overview)

Royal Ransom

VTCollection

Ransomware

References

2024-01-04 ⋅ Arctic Wolf ⋅ Stefan Hostetler, Steven Campbell
Follow-On Extortion Campaign Targeting Victims of Akira and Royal Ransomware
Akira Royal Ransom

2023-09-12 ⋅ ⋅ ANSSI ⋅ ANSSI
FIN12: A Cybercriminal Group with Multiple Ransomware
BlackCat Cobalt Strike Conti Hive MimiKatz Nokoyawa Ransomware PLAY Royal Ransom Ryuk SystemBC

2023-07-26 ⋅ Talos ⋅ Nicole Hoffman
Incident Response trends Q2 2023: Data theft extortion rises, while healthcare is still most-targeted vertical
BianLian Clop LockBit Royal Ransom LockBit 8Base BianLian Clop LockBit Money Message Royal Ransom

2023-06-27 ⋅ SecurityIntelligence ⋅ Charlotte Hammond, Ole Villadsen
The Trickbot/Conti Crypters: Where Are They Now?
Black Basta Conti Mount Locker PhotoLoader Royal Ransom SystemBC TrickBot

2023-05-10 ⋅ Bridewell ⋅ Bridewell
Hunting for Ursnif
ISFB Royal Ransom

2023-05-09 ⋅ paloalto Netoworks: Unit42 ⋅ Anthony Galiette, Daniel Bunce, Doel Santos
Threat Assessment: Royal Ransomware
Royal Ransom Royal Ransom

2023-04-19 ⋅ Bleeping Computer ⋅ Bill Toulas
March 2023 broke ransomware attack records with 459 incidents
Clop WhiteRabbit BianLian Black Basta BlackCat LockBit MedusaLocker PLAY Royal Ransom

2023-04-18 ⋅ Mandiant ⋅ Mandiant
M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate

2023-04-11 ⋅ Coalition ⋅ Leeann Nicolo
Security Alert: Royal Ransomware Targeting Firewalls
Royal Ransom

2023-04-03 ⋅ Trellix ⋅ Alexandre Mundo, Max Kersten
A Royal Analysis of Royal Ransom
Royal Ransom

2023-03-30 ⋅ United States District Court (Eastern District of New York) ⋅ Fortra, HEALTH-ISAC, Microsoft
Cracked Cobalt Strike (1:23-cv-02447)
Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader

2023-03-10 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
From Royal With Love
Cobalt Strike Conti PLAY Royal Ransom Somnia

2023-03-02 ⋅ CISA ⋅ CISA
#StopRansomware: Royal Ransomware
Royal Ransom Royal Ransom

2023-02-27 ⋅ PRODAFT Threat Intelligence ⋅ PRODAFT
RIG Exploit Kit: In-Depth Analysis
Dridex IcedID ISFB PureCrypter Raccoon RecordBreaker RedLine Stealer Royal Ransom Silence SmokeLoader Zloader

2023-02-20 ⋅ Trendmicro ⋅ Byron Gelera, Ivan Nicole Chavez, Nathaniel Morales
Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers
Royal Ransom Royal Ransom

2023-02-13 ⋅ Kroll ⋅ Laurie Iacono, Stephen Green
Royal Ransomware Deep Dive
Cobalt Strike Royal Ransom

2023-01-24 ⋅ ACSC ⋅ Australian Cyber Security Centre (ACSC)
2023-01: ACSC Ransomware Profile - Royal
Royal Ransom

2023-01-09 ⋅ SOCRadar ⋅ SOCRadar
Dark Web Profile: Royal Ransomware
Royal Ransom

2023-01-05 ⋅ Logpoint ⋅ Anish Bogati
A crowning achievement: Exploring the exploit of Royal ransomware
Royal Ransom

2022-12-21 ⋅ Trendmicro ⋅ Byron Gelera, Don Ovid Ladores, Ivan Nicole Chavez, Khristian Joseph Morales, Monte de Jesus
Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks
Royal Ransom

2022-12-14 ⋅ Cybereason ⋅ Alon Laufer, Eli Salem, Mark Tsipershtein
Royal Rumble: Analysis of Royal Ransomware
Royal Ransom

2022-12-13 ⋅ Avertium ⋅ Avertium
Everything You Need to Know about Royal Ransomware
Royal Ransom

2022-11-27 ⋅ SecurityScorecard ⋅ Vlad Pasca
A Technical Analysis of Royal Ransomware
Royal Ransom

2022-11-17 ⋅ Microsoft ⋅ Microsoft Security Threat Intelligence
DEV-0569 finds new ways to deliver Royal ransomware, various payloads
Royal Ransom DEV-0569

2022-11-17 ⋅ Yoroi ⋅ Carmelo Ragusa, Luigi Martire
Reconstructing the last activities of Royal Ransomware
Royal Ransom

2022-10-13 ⋅ Fortinet ⋅ James Slaughter, Shunichi Imano
Ransomware Roundup: Royal Ransomware
Royal Ransom

2022-09-29 ⋅ BleepingComputer ⋅ Lawrence Abrams
New Royal Ransomware emerges in multi-million dollar attacks
Royal Ransom

Yara Rules

[TLP:WHITE] win_royal_ransom_auto (20230808 | Detects win.royal_ransom.)

rule win_royal_ransom_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.royal_ransom."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_ransom"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 752f e8???????? 4c8d05d60c1400 ba8b010000 488d0d320c1400 e8???????? 4533c0 }
            // n = 7, score = 100
            //   752f                 | lea                 edx, [0x143571]
            //   e8????????           |                     
            //   4c8d05d60c1400       | inc                 ebp
            //   ba8b010000           | xor                 ecx, ecx
            //   488d0d320c1400       | test                eax, eax
            //   e8????????           |                     
            //   4533c0               | jle                 0x78b

        $sequence_1 = { e9???????? 2bc3 488d0d2df4dfff 488b8ce9d02c2d00 8064f93dfd f7d8 1ac0 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   2bc3                 | dec                 eax
            //   488d0d2df4dfff       | arpl                di, ax
            //   488b8ce9d02c2d00     | dec                 eax
            //   8064f93dfd           | lea                 ebx, [eax*8]
            //   f7d8                 | dec                 eax
            //   1ac0                 | add                 ecx, ebx

        $sequence_2 = { e8???????? 33c0 e9???????? 488b4820 e8???????? 85c0 0f8497020000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   33c0                 | inc                 ecx
            //   e9????????           |                     
            //   488b4820             | mov                 eax, 0xa
            //   e8????????           |                     
            //   85c0                 | dec                 eax
            //   0f8497020000         | mov                 edx, esi

        $sequence_3 = { e8???????? 488d4e24 448bc8 4c8d0579a80d00 ba09000000 e8???????? 488bcb }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488d4e24             | inc                 ebp
            //   448bc8               | xor                 ecx, dword ptr [edi + ecx*4 + 0x25fb80]
            //   4c8d0579a80d00       | inc                 esp
            //   ba09000000           | mov                 eax, ebx
            //   e8????????           |                     
            //   488bcb               | mov                 dword ptr [esp + 0x20], 0xffffffff

        $sequence_4 = { 8bc2 896c2444 418bfe 83fa02 7d3e e8???????? 4c8d05e7a90f00 }
            // n = 7, score = 100
            //   8bc2                 | dec                 eax
            //   896c2444             | mov                 ecx, edi
            //   418bfe               | dec                 eax
            //   83fa02               | test                eax, eax
            //   7d3e                 | je                  0xe0e
            //   e8????????           |                     
            //   4c8d05e7a90f00       | dec                 eax

        $sequence_5 = { 488d1507b51300 41b893040000 e8???????? 41b894040000 488d15efb41300 488bcf e8???????? }
            // n = 7, score = 100
            //   488d1507b51300       | dec                 esp
            //   41b893040000         | lea                 eax, [0xfa846]
            //   e8????????           |                     
            //   41b894040000         | mov                 edx, 0x69
            //   488d15efb41300       | dec                 eax
            //   488bcf               | lea                 ecx, [0xfa7fa]
            //   e8????????           |                     

        $sequence_6 = { e8???????? baa6000000 4c89742420 4c8bcd 4c8d05f3a80e00 8d4a93 e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   baa6000000           | dec                 eax
            //   4c89742420           | lea                 ecx, [0xd9b5a]
            //   4c8bcd               | dec                 eax
            //   4c8d05f3a80e00       | cmp                 eax, esi
            //   8d4a93               | jne                 0xe0d
            //   e8????????           |                     

        $sequence_7 = { 754a e8???????? 4c8d054e820d00 baa2000000 488d0df2810d00 e8???????? 4533c0 }
            // n = 7, score = 100
            //   754a                 | lea                 edx, [0x146338]
            //   e8????????           |                     
            //   4c8d054e820d00       | dec                 eax
            //   baa2000000           | sub                 ebx, edi
            //   488d0df2810d00       | test                eax, eax
            //   e8????????           |                     
            //   4533c0               | jne                 0x362

        $sequence_8 = { b828000000 e8???????? 482be0 488d15fc4fffff 488d0d5de62000 e8???????? 33c9 }
            // n = 7, score = 100
            //   b828000000           | pop                 edi
            //   e8????????           |                     
            //   482be0               | ret                 
            //   488d15fc4fffff       | inc                 ecx
            //   488d0d5de62000       | mov                 eax, 0x3c
            //   e8????????           |                     
            //   33c9                 | dec                 eax

        $sequence_9 = { e8???????? 85c0 7437 488d05297a0000 4c89742430 4889442428 4c8d0d485c0e00 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | dec                 eax
            //   7437                 | mov                 ebx, ecx
            //   488d05297a0000       | inc                 esp
            //   4c89742430           | lea                 eax, [eax + 0x6d]
            //   4889442428           | dec                 eax
            //   4c8d0d485c0e00       | mov                 ecx, dword ptr [ecx + 0x20]

    condition:
        7 of them and filesize < 6235136
}

[TLP:WHITE] win_royal_ransom_w0 (20230131 | Code-based YARA rule composed from potentially unique basic blocks for the selected set of samples/family.)

rule win_royal_ransom_w0 {
    meta:
        author = "MCRIT YARA Generator"
        description = "Code-based YARA rule composed from potentially unique basic blocks for the selected set of samples/family."
        date = "2023-01-31"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_ransom"
        malpedia_rule_date = "20230131"
        malpedia_hash = ""
        malpedia_version = "20230131"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        // Rule generation selected 10 picblocks, covering 1/1 input sample(s).
        /* picblockhash: 0x76087cc405bd2363 - coverage: 1/1 samples.
         * 4d8bb4f620c52a00 | mov r14, qword ptr [r14 + rsi*8 + 0x2ac520]
         * 33d2             | xor edx, edx
         * 498bce           | mov rcx, r14
         * 41b800080000     | mov r8d, 0x800
         * ff1517160100     | call qword ptr [rip + 0x11617]
         * 488bd8           | mov rbx, rax
         * 4885c0           | test rax, rax
         * 754f             | jne 0x1401fae20
         */
        $blockhash_0x76087cc405bd2363 = { 4d8bb4f620c52a00 33d2 498bce 41b800080000 ff15???????? 488bd8 4885c0 75?? }

        /* picblockhash: 0xad441b53d9617a84 - coverage: 1/1 samples.
         * 4c8b05964a0d00   | mov r8, qword ptr [rip + 0xd4a96]
         * ba40000000       | mov edx, 0x40
         * 418bc8           | mov ecx, r8d
         * 83e13f           | and ecx, 0x3f
         * 2bd1             | sub edx, ecx
         * 8aca             | mov cl, dl
         * 488bd0           | mov rdx, rax
         * 48d3ca           | ror rdx, cl
         * 4933d0           | xor rdx, r8
         * 4b8794fe80312d00 | xchg qword ptr [r14 + r15*8 + 0x2d3180], rdx
         * eb2d             | jmp 0x1401faed9
         */
        $blockhash_0xad441b53d9617a84 = { 4c8b05???????? ba40000000 418bc8 83e13f 2bd1 8aca 488bd0 48d3ca 4933d0 4b8794fe80312d00 eb?? }

        /* picblockhash: 0x8a5718142d9721e2 - coverage: 1/1 samples.
         * 418bc2           | mov eax, r10d
         * b940000000       | mov ecx, 0x40
         * 83e03f           | and eax, 0x3f
         * 2bc8             | sub ecx, eax
         * 48d3cf           | ror rdi, cl
         * 4933fa           | xor rdi, r10
         * 4b87bcfe80312d00 | xchg qword ptr [r14 + r15*8 + 0x2d3180], rdi
         */
        $blockhash_0x8a5718142d9721e2 = { 418bc2 b940000000 83e03f 2bc8 48d3cf 4933fa 4b87bcfe80312d00 }

        /* picblockhash: 0x9cc1c27925f1c35f - coverage: 1/1 samples.
         * 4b8b84e7d02c2d00   | mov rax, qword ptr [r15 + r12*8 + 0x2d2cd0]
         * 4c8b45af           | mov r8, qword ptr [rbp - 0x51]
         * 4c2bc7             | sub r8, rdi
         * 420fb64cf03e       | movzx ecx, byte ptr [rax + r14*8 + 0x3e]
         * 460fbebc3960022d00 | movsx r15d, byte ptr [rcx + r15 + 0x2d0260]
         * 41ffc7             | inc r15d
         * 458bef             | mov r13d, r15d
         * 442bea             | sub r13d, edx
         * 4d63d5             | movsxd r10, r13d
         * 4d3bd0             | cmp r10, r8
         * 0f8f78020000       | jg 0x1401ffdb9
         */
        $blockhash_0x9cc1c27925f1c35f = { 4b8b84e7d02c2d00 4c8b45af 4c2bc7 420fb64cf03e 460fbebc3960022d00 41ffc7 458bef 442bea 4d63d5 4d3bd0 0f8f???????? }

        /* picblockhash: 0x826769b1e3d9c0fc - coverage: 1/1 samples.
         * 0fb607             | movzx eax, byte ptr [rdi]
         * 498bd5             | mov rdx, r13
         * 482bd7             | sub rdx, rdi
         * 4a0fbeb43860022d00 | movsx rsi, byte ptr [rax + r15 + 0x2d0260]
         * 8d4e01             | lea ecx, [rsi + 1]
         * 4863c1             | movsxd rax, ecx
         * 483bc2             | cmp rax, rdx
         * 0f8fe4010000       | jg 0x1401ffdf3
         */
        $blockhash_0x826769b1e3d9c0fc = { 0fb607 498bd5 482bd7 4a0fbeb43860022d00 8d4e01 4863c1 483bc2 0f8f???????? }

        /* picblockhash: 0x26d7edbd8d267bed - coverage: 1/1 samples.
         * 8a0437           | mov al, byte ptr [rdi + rsi]
         * ffc2             | inc edx
         * 4a8b8ce3d02c2d00 | mov rcx, qword ptr [rbx + r12*8 + 0x2d2cd0]
         * 4803ce           | add rcx, rsi
         * 48ffc6           | inc rsi
         * 428844f13e       | mov byte ptr [rcx + r14*8 + 0x3e], al
         * 4863c2           | movsxd rax, edx
         * 493bc0           | cmp rax, r8
         * 7ce0             | jl 0x1401ffdcb
         */
        $blockhash_0x26d7edbd8d267bed = { 8a0437 ffc2 4a8b8ce3d02c2d00 4803ce 48ffc6 428844f13e 4863c2 493bc0 7c?? }

        /* picblockhash: 0x11bb0000ce80b5fe - coverage: 1/1 samples.
         * 418a0438         | mov al, byte ptr [r8 + rdi]
         * 41ffc1           | inc r9d
         * 4b8b8cd7d02c2d00 | mov rcx, qword ptr [r15 + r10*8 + 0x2d2cd0]
         * 4903c8           | add rcx, r8
         * 49ffc0           | inc r8
         * 428844d93e       | mov byte ptr [rcx + r11*8 + 0x3e], al
         * 4963c1           | movsxd rax, r9d
         * 483bc2           | cmp rax, rdx
         * 7cde             | jl 0x1401ffe18
         */
        $blockhash_0x11bb0000ce80b5fe = { 418a0438 41ffc1 4b8b8cd7d02c2d00 4903c8 49ffc0 428844d93e 4963c1 483bc2 7c?? }

        /* picblockhash: 0x30abb68a1956753d - coverage: 1/1 samples.
         * 8a07             | mov al, byte ptr [rdi]
         * 4c8d05ab01e0ff   | lea r8, [rip - 0x1ffe55]
         * 4b8b8ce0d02c2d00 | mov rcx, qword ptr [r8 + r12*8 + 0x2d2cd0]
         * ffc3             | inc ebx
         * 895d9b           | mov dword ptr [rbp - 0x65], ebx
         * 428844f13e       | mov byte ptr [rcx + r14*8 + 0x3e], al
         * 4b8b84e0d02c2d00 | mov rax, qword ptr [r8 + r12*8 + 0x2d2cd0]
         * 42804cf03d04     | or byte ptr [rax + r14*8 + 0x3d], 4
         * 38558f           | cmp byte ptr [rbp - 0x71], dl
         * ebcc             | jmp 0x1401ffe46
         */
        $blockhash_0x30abb68a1956753d = { 8a07 4c8d05???????? 4b8b8ce0d02c2d00 ffc3 895d9b 428844f13e 4b8b84e0d02c2d00 42804cf03d04 38558f eb?? }

        /* picblockhash: 0x47083a9897a47573 - coverage: 1/1 samples.
         * 498bc5           | mov rax, r13
         * 4c8d0d21f6dfff   | lea r9, [rip - 0x2009df]
         * 83e03f           | and eax, 0x3f
         * 498bd5           | mov rdx, r13
         * 48c1fa06         | sar rdx, 6
         * 4c8d04c0         | lea r8, [rax + rax*8]
         * 498b84d1d02c2d00 | mov rax, qword ptr [r9 + rdx*8 + 0x2d2cd0]
         * 42f644c03848     | test byte ptr [rax + r8*8 + 0x38], 0x48
         * 7430             | je 0x140200a2d
         */
        $blockhash_0x47083a9897a47573 = { 498bc5 4c8d0d???????? 83e03f 498bd5 48c1fa06 4c8d04c0 498b84d1d02c2d00 42f644c03848 74?? }

        /* picblockhash: 0x37de2b88bfe990b6 - coverage: 1/1 samples.
         * 2bc3             | sub eax, ebx
         * 488d0d2df4dfff   | lea rcx, [rip - 0x200bd3]
         * 488b8ce9d02c2d00 | mov rcx, qword ptr [rcx + rbp*8 + 0x2d2cd0]
         * 8064f93dfd       | and byte ptr [rcx + rdi*8 + 0x3d], 0xfd
         * f7d8             | neg eax
         * 1ac0             | sbb al, al
         * 2402             | and al, 2
         * 0844f93d         | or byte ptr [rcx + rdi*8 + 0x3d], al
         * 8d0412           | lea eax, [rdx + rdx]
         */
        $blockhash_0x37de2b88bfe990b6 = { 2bc3 488d0d???????? 488b8ce9d02c2d00 8064f93dfd f7d8 1ac0 2402 0844f93d 8d0412 }

    condition:
        7 of them and filesize < 5MB
}

Download all Yara Rules

Royal Ransom Propose Change

References

Yara Rules

Royal Ransom