Security Experts:

Connect with us

Hi, what are you looking for?



Organizations Warned of Royal Ransomware Attacks

FBI and CISA have issued an alert to warn organizations of the risks associated with Royal ransomware attacks.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued an alert to warn organizations of the increasing threat posed by the Royal ransomware.

The Royal ransomware has been used in attacks since September 2022, targeting US and international organizations in numerous sectors, including critical infrastructure, communications, education, healthcare and public healthcare (HPH), and manufacturing.

Likely evolved from a variant that relied on the Zeon loader, Royal ransomware uses its own file encryption program, disables security protections on the infected systems, and exfiltrates large amounts of data to engage in double extortion.

The Royal ransomware operators have been observed making ransom demands ranging between $1 million and $11 million, in Bitcoin. However, they do not include ransom amounts and payment instructions in the initial ransom note, but instruct victims to contact them via a Tor website.

For initial access, Royal ransomware operators rely on phishing, remote desktop protocol (RDP), exploitation of vulnerabilities in public-facing applications, and initial access brokers, the FBI and CISA warn in their advisory.

After compromising a network, the threat actors download a variety of tools from the command-and-control (C&C) infrastructure, including Chisel for C&C communication, PsExec for lateral movement, and remote monitoring and management (RMM) software such as AnyDesk, Atera, and LogMeIn for persistence.

The Royal ransomware operators were also seen using Cobalt Strike and other malicious tools, including Ursnif/Gozi, for data harvesting and exfiltration.

The threat actors also use Windows Restart Manager to identify whether files are in use, and rely on the Windows Volume Shadow Copy service to delete shadow copies and prevent victims from restoring their data.

On infected systems, the FBI has found numerous batch files that add a new admin user, update group policies, create registry keys and execute the ransomware, monitor the encryption process, and delete files after the encryption has been completed.

Organizations are advised to implement and maintain a recovery plan that includes keeping multiple, separate backups of their data, to secure all accounts with strong and unique passwords, to implement multi-factor authentication, to implement network segmentation, to use network monitoring tools for identifying abnormal activity, to audit accounts and disable unused ports and services, and to keep all software and operating systems updated.

The FBI and CISA alert arrives roughly three months after the US Department of Health and Human Services (HHS) warned organizations in the healthcare sector of the risks associated with Royal ransomware.

Related: Cyber Insights 2023 | Ransomware

Related: Ransomware Revenue Plunged in 2022 as More Victims Refuse to Pay Up: Report

Related: Ransomware Hit 200 US Gov, Education and Healthcare Organizations in 2022

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.


Dole was forced to shut down systems in North America due to a ransomware attack, which has reportedly led to salad shortages in some...


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.


The City of Oakland has disclosed a ransomware attack that impacted several non-emergency systems.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.