Home / Threat Intelligence bulletins / Threat actors use new techniques to deliver Royal ransomware

Target Industry

Indiscriminate, opportunistic targeting.


Severity level: High – Royal encrypts all data held on compromised system.

First reported in September 2022, Royal is a ransomware that has been affiliated with the threat actor Dev-0569. Dev-0569 is a threat actor that typically uses spear phishing and malvertising to infect victims with their chosen malware. However, in recent weeks, security researchers from Microsoft have detected tweaks in the threat actors delivery techniques.

These tweaked techniques include:
– Using the legitimate contact forms of the target organisation to deliver phishing links.
– Hosting malicious installer files on seemingly legitimate software download sites.
– Using Google adds in malvertising campaigns in an attempt to blend them in with valid advertisements.

The change in delivery strategy is highly likely so that the threat actor can reach more targets, and thus increase their potential revenue income.

Royal is just the latest ransomware used by the threat actor, previous attacks utilised, BlackCat and ZEON.


Successful system exploitation using Royal will result in the encryption and loss of sensitive business and customer data and may lead to the data being leaked online for other cyber criminals to use in future attacks. The deploying threat actor will almost certainly demand ransom for the decryption and confidentiality of stolen data. Ransom is likely to range between £250,000 and £2,000,000, however, historically ransoms have been calculated the assessed financial worth of the victim company.

Vulnerability Detection

A comprehensive Endpoint Detection and Response (EDR) solution such as Microsoft Defender can provide effective protection against ransomware threats such as Royal. EDRs can alert system users of potential breaches and stop the malware process during early signs of an attack attempt, therefore limiting damage.

If an EDR solution is not being used, the first instance of detection is likely to be the ransom note. The note will be labelled as:

Furthermore, all files held on the system will have a new file extension:
– .royal

Affected Products


Containment, Mitigations & Remediations

It is recommended that employees receive training on how to spot signs of phishing emails. As stated above, a main method of initial compromise is phishing so some in-house training will go far to reduce the effectiveness of future campaigns.

As stated above, a main method of reducing the threat of Royal is to detect it in the early stages through the use of an effective and monitored EDR solution. An effective EDR will increase detection of malicious attempts of ransomware compromise and halt them if detected.

Organisations can also perform routine back-ups of sensitive data that is needed to run the business and to keep a copy offline in case backups are impacted by the attack. Therefore, if a breach occurs and the business can no longer function, a back-up is ready to use, and the business can continue to operate with little disruption. However, this does not nullify the fact that customer and employee data may have also been lost, and potentially released at will by the attacker if demands are not met.

Indicators of Compromise

Associated Royal Hashes:
– 2598e8adb87976abe48f0eba4bbb9a7cb69439e0c133b21aee3845dfccf3fb8f
– 9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926
– f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429

Associated Royal IPs:

Associated Royal Domains:
– cornwelltools.com
– fvsra.org
– imacorp.com
– scottindustrialsystems.com
– apmterminals.com
– cristalcontrols.com
– rhein-pfalz-kreis.de
– zwijndrecht.be

Encrypted files are a ‘.royal’ file extension.

Threat Landscape

Royal represents the continuous evolution and introduction of new ransomware variants to the online threat landscape. Malvertising is especially dangerous over the festive period as online shoppers are more susceptible to clicking on the wrong advert as they seek money saving deals. Online adverts labelled as legitimate google ads are highly likely to deceive even those who are aware of this tactic and trained in spotting the signs of malicious online ads. This therefore makes the campaign sophisticated.

Threat Group

Dev-0569 is an experienced threat group who have conducted a significant number of attacks in the past. The group has experience using multiple variants of ransomware including, BlackCat, ZEON and most recently, Royal. The continued use of ransomware suggests the groups motivation is highly likely financial gain.

Mitre Methodologies

T1189 – Drive-by compromise
T1566 – Phishing
T1005 – Data from local system
T1098 – Account manipulation
T1486 – Data encryption for impact
T1490 – Inhibit system recovery

Further Information

PC Risk– Royal Ransomware
Fortinet – Royal Ransomware
Microsoft – Dev-0569

Intelligence Terminology Yardstick