Who or What Is The Royal Ransomware?

Estimated read time 3 min read

The Royal Ransomware is a cyber threat that first emerged in January 2022. The group behind it was initially known as “Zeon” and later renamed themselves “Royal” in September 2022. Unlike many other cybercriminal groups, they are not considered a ransomware-as-a-service (RaaS) operation because their coding and infrastructure are private and not made available to outside actors. The group has been known to target top-tier corporations, demanding ransoms that range from $250,000 to over $2 million.

Modus Operandi: Double Extortion

The Royal Ransomware group uses a double extortion method, which involves both encrypting and exfiltrating data. However, as of the time of writing, they do not have a data leak site where they publish the names of their victims. The group was initially observed targeting systems running the Windows operating system, but reports in February 2023 indicated a variant capable of compromising Linux/virtual machines.

Initial Access: Phishing and Exploitation

The group often gains initial access into a victim’s network through call-back phishing ploys, where they impersonate food delivery or software providers needing subscription renewals.

Once the victim calls the number provided in the phishing email to dispute or cancel the supposed subscription, they are persuaded to install remote access software on their computer, providing the actors with initial access to their organization’s network.

Royal Ransomware Phishing Flow
Royal Ransomware Phishing Flow

The group has also been reported to exploit web vulnerabilities to compromise networks, indicating a potentially higher level of sophistication. Another method of initial access associated with the group is the abuse of Google Ads to deliver malware. Users browsing the internet click on ads they believe to be legitimate, but these ultimately lead to downloads of BatLoader, a multifaceted initial access malware.

Tools and Techniques: Cobalt Strike, PowerSploit, and More

Other tools utilized by Royal include the post-exploitation framework Cobalt Strike for persistent access, along with PowerSploit, common remote access tools, and exfiltration tools such as MegaCMD and SharpExfiltrate.

Royal Ransomware Tools
Royal Ransomware Tools


The primary motivation of the Royal Ransomware group, like many other cybercriminal groups, is financial gain. They target top-tier corporations and demand high ransoms, which range from $250,000 to over $2 million. Their focus on larger corporations suggests a strategy aimed at maximizing potential profits from each attack.

The group’s use of double extortion methods—encrypting and exfiltrating data—also indicates their intent to apply maximum pressure on victims to pay the ransom. By threatening to leak sensitive data, they can potentially cause significant reputational damage and regulatory penalties for the victim organizations, making the ransom demand seem like a lesser cost in comparison.


  • Threat Assessment: Royal Ransomware (Link)
  • Trend Micro on the Royal Ransomware Group (Link)
  • Cisa.gov on Royal Ransomware (Link)
  • Kroll.com on Royal Ransomware (Link)
Reza Rafati https://cyberwarzone.com

Reza Rafati, based in the Netherlands, is the founder of Cyberwarzone.com. An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.

You May Also Like

More From Author