Royal is a cybercriminal ransomware organization known for its aggressive targeting, its high ransom demands, and its use of double extortion (where compromised data is not only encrypted, but also exfiltrated).
They have developed Linux-based variants and expanded their targets to include ESXi servers, which can have a significant impact on victimized enterprise data centers and virtualized storage.
[2][1] In 2023, the United States Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) jointly issued an advisory providing information on Royal ransomware's tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations defend against such attacks.
Victims unknowingly install malware that delivers Royal ransomware after clicking on links or opening malicious PDF documents in these phishing emails.
There are reports suggesting that Royal actors may also leverage brokers to obtain access by harvesting VPN credentials from stolen logs.
[2] Once inside the network, Royal actors communicate with a command and control (C2) infrastructure and download multiple tools to strengthen their presence.
Royal actors have been observed using Chisel, a tunneling tool transported over HTTP and secured via SSH, to communicate with their C2 infrastructure.
In some instances, they exploit remote monitoring and management (RMM) software like AnyDesk, LogMeIn, and Atera for persistence within the victim's network.
[1] In September 2022, it gained attention among cybersecurity researchers after a news site published an article about the group's targeted attack campaigns using callback phishing techniques.
[1] On December 7, 2022, the United States Department of Health and Human Services (HHS) issued a warning to healthcare organizations about the threats posed by the Royal ransomware.