Skip to content

S1073 Royal

Royal is ransomware that first appeared in early 2022; a version that also targets ESXi servers was later observed in February 2023. Royal employs partial encryption and multiple threads to evade detection and speed encryption. Royal has been used in attacks against multiple industries worldwide–including critical infrastructure. Security researchers have identified similarities in the encryption routines and TTPs used in Royal and Conti attacks and noted a possible connection between their operators.52341

Item Value
ID S1073
Associated Names
Version 1.0
Created 30 March 2023
Last Modified 17 April 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1486 Data Encrypted for Impact Royal uses a multi-threaded encryption process that can partially encrypt targeted files with the OpenSSL library and the AES256 algorithm.234
enterprise T1083 File and Directory Discovery Royal can identify specific files and directories to exclude from the encryption process.234
enterprise T1490 Inhibit System Recovery Royal can delete shadow copy backups with vssadmin.exe using the command delete shadows /all /quiet.231
enterprise T1106 Native API Royal can use multiple APIs for discovery, communication, and execution.2
enterprise T1046 Network Service Discovery Royal can scan the network interfaces of targeted systems.2
enterprise T1135 Network Share Discovery Royal can enumerate the shared resources of a given IP addresses using the API call NetShareEnum.2
enterprise T1095 Non-Application Layer Protocol Royal establishes a TCP socket for C2 communication using the API WSASocketW.2
enterprise T1566 Phishing Royal has been spread through the use of phishing campaigns including “call back phishing” where victims are lured into calling a number provided through email.231
enterprise T1057 Process Discovery Royal can use GetCurrentProcess to enumerate processes.2
enterprise T1021 Remote Services -
enterprise T1021.002 SMB/Windows Admin Shares Royal can use SMB to connect to move laterally.2
enterprise T1489 Service Stop Royal can use RmShutDown to kill applications and services using the resources that are targeted for encryption.2
enterprise T1082 System Information Discovery Royal can use GetNativeSystemInfo and GetLogicalDrives to enumerate system processors and logical drives.24
enterprise T1016 System Network Configuration Discovery Royal can enumerate IP addresses using GetIpAddrTable.2