royal

General

Target

sample
Size

2.9MB
Sample

230309-23yxwsaf76
MD5

01492156ce8b4034c5b1027130f4cf4e
SHA1

6b0deb67a178fe20e81691133b257df3bafa3006
SHA256

2598e8adb87976abe48f0eba4bbb9a7cb69439e0c133b21aee3845dfccf3fb8f
SHA512

a26e6898ff4546b3357c07b222d05ecd8f631b2f7e939e19cf422f3e78d201de86ff5a3c208f5f52fbe3158a1a8bd71cf957ae52285b9e572088a3fe4363c3f4
SSDEEP

49152:cDVwASOLGtlqrRIU6i9+vazNqQlJZP1BMU2thA8mNtNCiJlrRUFcJ7HIPcLzk+5k:wm+GaNqqJJ12vlZol8cJ7rc

Score

10^/10

royal ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\README.TXT

Family

royal

Ransom Note

Hello! If you are reading this, it means that your system were hit by Royal ransomware. Please contact us via : http://royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onion/12345678123456781234567812346578 In the meantime, let us explain this case.It may seem complicated, but it is not! Most likely what happened was that you decided to save some money on your security infrastructure. Alas, as a result your critical data was not only encrypted but also copied from your systems on a secure server. From there it can be published online.Then anyone on the internet from darknet criminals, ACLU journalists, Chinese government(different names for the same thing), and even your employees will be able to see your internal documentation: personal data, HR reviews, internal lawsuitsand complains, financial reports, accounting, intellectual property, and more! Fortunately we got you covered! Royal offers you a unique deal.For a modest royalty(got it; got it ? ) for our pentesting services we will not only provide you with an amazing risk mitigation service, covering you from reputational, legal, financial, regulatory, and insurance risks, but will also provide you with a security review for your systems. To put it simply, your files will be decrypted, your data restoredand kept confidential, and your systems will remain secure. Try Royal today and enter the new era of data security! We are looking to hearing from you soon!

URLs

http://royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onion/12345678123456781234567812346578

Targets

- Target
  
  sample
- Size
  
  2.9MB
- MD5
  
  01492156ce8b4034c5b1027130f4cf4e
- SHA1
  
  6b0deb67a178fe20e81691133b257df3bafa3006
- SHA256
  
  2598e8adb87976abe48f0eba4bbb9a7cb69439e0c133b21aee3845dfccf3fb8f
- SHA512
  
  a26e6898ff4546b3357c07b222d05ecd8f631b2f7e939e19cf422f3e78d201de86ff5a3c208f5f52fbe3158a1a8bd71cf957ae52285b9e572088a3fe4363c3f4
- SSDEEP
  
  49152:cDVwASOLGtlqrRIU6i9+vazNqQlJZP1BMU2thA8mNtNCiJlrRUFcJ7HIPcLzk+5k:wm+GaNqqJJ12vlZol8cJ7rc
Score

10^/10

royal ransomware
- Royal
  Royal is a ransomware first seen in 2022.
  ransomware royal
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Drops startup file
- Drops desktop.ini file(s)
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Deletes shadow copies

Modifies extensions of user files

Drops startup file

Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2