Royal Ransomware gang

Threat Actor

Royal is an operation that launched in January 2022 and consists of a group of vetted and experienced ransomware actors from previous operations. Royal does not operate as a Ransomware-as-a-Service but is instead a private group without affiliates.

Initially, they used encryptors from other gangs like BlackCat, they quickly switched to using their own encryptors, the first being Zeon which generated Conti-like ransom notes.

Starting in mid-September, the ransomware gang rebranded again to "Royal" and uses a new encryptor that generates ransom notes with the same name. Unusually for a ransomware gang, the group also uses social engineering to trick corporate victims into installing remote access software following callback phishing attacks where the attackers impersonate software providers and food delivery services.

Malware Used by this Threat Actor

No malware identified for this threat actor.