1. Overview
Royal is a highly capable ransomware group that emerged in early 2022, quickly establishing itself as a major player in the double extortion landscape. Noted for its custom-built encryptor, refusal to rely on Ransomware-as-a-Service (RaaS) models, and frequent targeting of healthcare, education, and public sector organisations, Royal has distinguished itself as both tactically effective and operationally autonomous.
The group is known for data theft combined with encryption, high-value ransom demands, and the use of multi-layered extortion tactics, including threats of public data release, operational disruption, and reputational damage. Royal is also notable for its links to Conti alumni, suggesting a deep bench of experienced ransomware operators.
2. Origin and Evolution
Royal was first identified in January 2022, initially using third-party ransomware payloads such as Zeon before deploying its own custom encryptor later that year. Over time, Royal has refined its tactics, moving away from commodity tooling in favour of bespoke malware and increasingly sophisticated targeting methods.
The group operates a private, non-affiliate model, with internal teams handling everything from reconnaissance to ransom negotiation. This allows Royal to maintain tight operational control and avoid some of the pitfalls of the RaaS ecosystem, such as affiliate leaks or uncoordinated attacks.
3. Tactics, Techniques, and Procedures (TTPs)
Royal attacks follow a methodical, multi-stage playbook with a strong emphasis on stealth and privilege escalation:
- Initial Access:
Entry is typically gained via phishing campaigns (T1566.001), exploited VPN endpoints, or purchased access from Initial Access Brokers (T1078). - Lateral Movement:
Use of RDP, PsExec, PowerShell, and Cobalt Strike to navigate internal networks and escalate privileges (T1021, T1055). - Data Exfiltration:
Data is exfiltrated prior to encryption using Rclone, MEGA, or custom SFTP scripts (T1041). Royal targets HR files, legal documents, financial records, and internal emails. - Encryption:
The Royal payload uses a custom-built encryptor supporting partial file encryption to speed up the process. Files are typically renamed with the.royalextension. - Extortion:
Royal combines encryption with threats of data exposure, frequently publishing stolen information on a dedicated leak site if the victim refuses to pay. - Evasion & Persistence:
Common techniques include disabling security tools, shadow copy deletion (T1490), scheduled tasks, and registry modification (T1112).
4. Targeting Profile
Royal favours large organisations with significant data value and business continuity risk. Sectors frequently targeted include:
- Healthcare and medical services
- Education and universities
- Municipal and regional governments
- Financial services and insurance
- Legal firms and consultancy groups
UK entities have appeared on Royal’s leak site, particularly in public sector healthcare and legal services, where downtime and confidentiality breaches present high-stakes leverage.
5. Notable Campaigns and Victims
Royal has executed a number of high-profile attacks across North America, Europe, and Asia. Confirmed victims include:
- Multiple US healthcare systems, including hospitals and patient care networks
- Municipal governments, such as Dallas, Texas, with disrupted emergency services
- UK-based professional service firms, targeted for client data and legal records
- Private education institutions, where student records and research data were exfiltrated
Royal’s ransom demands range from £250,000 to over £5 million, depending on organisational size and data sensitivity.
6. Ransomware and Leak Site Behaviour
Royal’s dark web leak site features:
- Organisation name and sector
- Sample file downloads
- Data size and breach date
- Countdown timers for full public release
The group’s negotiation style is assertive, often referencing legal, regulatory, and reputational consequences. Unlike some groups, Royal avoids overly aggressive language in communication but applies pressure through deadlines and sample data exposure.
7. Technical Indicators
Common IOCs related to Royal include:
- File extension:
.royal - Ransom notes titled
README.TXTorREADME_FOR_RESTORE.TXT - Use of
rclone.exe,7z.exe, and obfuscated PowerShell - Lateral movement using
PsExecandCobalt Strikebeacons - Registry edits to disable logging and AV services
YARA signatures and updated detection rules are available through UK Cyber Defence Ltd’s threat intelligence feed.
8. Defensive Measures and Recommendations
To defend against Royal ransomware:
- Implement MFA across all external access points and administrative interfaces
- Monitor for lateral movement tools, especially PsExec and Cobalt Strike
- Apply patches to VPNs, firewalls, and Exchange servers
- Deploy network segmentation between critical infrastructure components
- Use EDR/XDR with anomaly detection and rollback capabilities
- Maintain offline, immutable backups, tested regularly
- Prepare a communications and breach disclosure plan in the event of extortion
9. Attribution and Alliances
Royal is widely believed to be operated by former affiliates or developers of Conti, a major ransomware gang dismantled in 2022. While there is no formal nation-state attribution, the group uses Russian-language tooling and shares infrastructure characteristics with past Eastern European threat actors.
Royal operates independently—with no affiliate programme—and maintains full control over its attack lifecycle, from access to encryption and negotiation.
10. Conclusion
Royal is a well-resourced, technically proficient ransomware threat that combines classic ransomware tactics with custom tooling, stealthy intrusion methods, and effective extortion strategies. For UK organisations—particularly in healthcare, public services, and legal sectors—Royal poses a strategic threat capable of causing operational, regulatory, and reputational damage.
Mitigation requires multi-layered security controls, data exfiltration monitoring, and incident response plans that address both encryption and public extortion scenarios.
Author:
Threat Intelligence Team, UK Cyber Defence Ltd
All intelligence current as of May 2025
