royal
Group profile
According to Trendmicro, Royal ransomware was first observed in September 2022, and the threat actors behind it are believed to be seasoned cybercriminals who used to be part of Conti Team One.
MITRE ATT&CK TTPs
Initial Access
T1566.001Phishing: Spearphishing Attachment
A spearphishing email was sent to employees.
Execution
Persistence
Privilege Escalation
T1078.002Domain Accounts
Royal ransomware operators used (privileged) domain accounts for lateral movement.
T1548.002Abuse Elevation Control Mechanism: Bypass User Account Control
Royal ransomware operations executed a known UAC bypass that abuses a default scheduled task to launch PowerShell with escalated privileges.
Defense Evasion
T1027.006Obfuscated Files or Information: HTML Smuggling
Password protected file containing an ISO file with a hidden file used in combination with an LNK file to execute Qbot.
T1055Process Injection
Qbot and Cobalt Strike were both injected into legitimate Windows processes.
T1078.002Domain Accounts
Royal ransomware operators used domain accounts for lateral movement.
Discovery
T1087.001Account Discovery: Local Account
The FindLocalAdmin PowerSploit script was used to find local administrator accounts on workstations/servers.
T1087.002Account Discovery: Domain Account
Users and groups were enumerated with built-in Windows utilities and with AdFind software.
T1135Network Share Discovery
Network shares were enumerated with PowerSploit software.
T1482Domain Trust Discovery
Domain trust was enumerated with built-in Windows utilities.
Lateral Movement
T1021.002Remote Services: SMB/Windows Admin Shares
Remote admin shares C$ were mounted from the Patient 0 workstation.
T1078.002Valid Accounts: Domain Accounts
Several (privileged) domain accounts were used during the attack for lateral movement and deployment of ransomware.
T1550.002Use Alternate Authentication Material: Pass the Hash
The Royal ransomware operators leveraged credential hashes from privileged accounts to perform lateral movement.
Exfiltration
T1567.002Exfiltration Over Web Service: Exfiltration to Cloud Storage
Royal ransomware operators used Mega Cloud Storage and Dropbox to exfiltrate data from multiple hosts.
Command and Control
Impact
T1486Data Encrypted for Impact
Royal ransomware encrypted files on systems with the .royal extension.
Recent victims
showing 50 of 211| Date | Website / victim | Sector | Country |
|---|---|---|---|
| 2023-07-19 |  Braintree Public Schoolsbraintreema.gov | Education | US |
| 2023-06-11 |  Tachi-S Engineering USAtachi-s.com | Manufacturing | |
| 2023-06-09 |  PENNCREST School Districtpenncrest.org | Education | |
| 2023-05-26 |  Groupe Sovitrat Interim and Recrutementsovitrat.fr | Business Services | FR |
| 2023-05-26 |  BM Precisionbmprecision.com | Manufacturing | |
| 2023-05-26 |  DirectViz Solutionsdirectviz.com | Technology | |
| 2023-05-26 |  The Best Connectionthebestconnection.co.uk | Business Services | GB |
| 2023-05-26 |  Mitutoyomitutoyo.ch | Manufacturing | CH |
| 2023-05-26 |  AFG Holdingsafgholdings.com | Manufacturing | |
| 2023-05-26 |  Voltvolt.com | Business Services | US |
| 2023-05-26 |  Colrichcolrich.com | Manufacturing | ZA |
| 2023-05-26 |  Haworth Tompkinshaworthtompkins.com | Business Services | |
| 2023-05-26 |  Grange Packing Solutionsco-pack.co.uk | Manufacturing | GB |
| 2023-05-23 |  Coos Bayco.coos.or.us | Public Sector | US |
| 2023-05-23 |  Dotcom Distributiondotcomdist.com | Transportation/Logistics | |
| 2023-05-22 |  Westsidewestside-health.org | Not Found | |
| 2023-05-22 |  TA Supplytasupply.com | Business Services | US |
| 2023-05-22 |  Trinity Exploration and Productiontrinityexploration.com | Energy | |
| 2023-05-22 |  Agostini Insurance Brokersagostini.com | Financial Services | TT |
| 2023-05-22 |  Atlas Commoditiesatlascommodities.com | Financial Services | |
| 2023-05-22 |  Morris Hospitalmorrishospital.org | Healthcare | |
| 2023-05-22 |  Utah-Yamas Controlsutahyamas.com | Manufacturing | |
| 2023-05-19 |  City of Dallasdallascityhall.com | Public Sector | |
| 2023-05-18 |  NASHUA SCHOOL DISTRICTnashua.edu | Education | US |
| 2023-05-15 |  Parker Drillingparkerdrilling.comwww.parkerwellbore.com | Energy | |
| 2023-04-01 |  Meade Tractormeadetractor.com | Agriculture and Food Production | |
| 2023-05-01 |  Midwest Truckmidwesttruck.com | Transportation/Logistics | |
| 2023-05-03 |  Southern West Virginia Community and Technical Collegesouthernwv.edu | Education | US |
| 2023-05-03 |  ZBW Newszbw.eu | Education | UA |
| 2023-04-29 |  Great Falls College of Technologygfcmsu.edu | Education | US |
| 2023-04-29 |  Montana State Universitymontana.edu | Education | US |
| 2023-04-26 |  EdisonLearningedisonlearning.com | Education | |
| 2023-04-21 |  Encompass Groupencompassgroup.com | Manufacturing | US |
| 2023-04-18 |  Lake Dallas Independent School Districtldisd.net | Education | |
| 2023-04-18 |  MW Componentsmwcomponents.com | Manufacturing | |
| 2023-04-20 |  Clarke County Hospitalclarkehosp.org | Healthcare | |
| 2023-04-21 |  GKS Hydraulikgks-hydraulik.com | Manufacturing | DE |
| 2023-03-09 |  Mainstream Engineeringmainstream-engr.com | Manufacturing | |
| 2023-04-14 |  City of Ballwinballwin.mo.us | Public Sector | US |
| 2023-04-13 |  Swanson Groupswansongroup.biz | Manufacturing | |
| 2023-04-13 |  Moon Capitalmooncapital.com | Financial Services | |
| 2023-04-12 |  Talon Outdoortalonoutdoor.com | Business Services | |
| 2023-04-12 |  Dataramdataram.com | Technology | |
| 2023-03-30 |  einhaus-gruppeeinhaus-gruppe.de | Business Services | DE |
| 2023-04-10 |  Stanley Electric U.S.stanleyelectricus.com | Manufacturing | |
| 2023-04-10 |  Nature Path Foodsnaturespath.com | Agriculture and Food Production | CA |
| 2023-04-10 |  Alvariaalvaria.com | Technology | US |
| 2023-04-10 |  Big Ass Fansbigassfans.com | Manufacturing | |
| 2023-04-10 |  Tom Duffy Companytomduffy.com | Construction | US |
| 2023-04-03 |  Beghelli USAbeghelliusa.com | Manufacturing |