CISA Alert AA23-061A: Royal Ransomware Analysis, Simulation and TTPs

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries


On March 2nd, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on Royal ransomware that targets healthcare, communications, manufacturing, and education organizations in the United States [1]. Royal ransomware threat actors use a wide variety of techniques for initial access, defense evasion, and encryption to increase the number of their victims and improve impact.

Picus Threat Library already had attack simulations for Royal ransomware. In this blog, we explain tactics, techniques, and procedures used by the Royal ransomware group and how you can assess your security posture against Royal ransomware attacks.

Simulate Ransomware Threats with 14-Day Free Trial of Picus Platform

Royal Ransomware

Royal ransomware (DEV-0569) was first observed back in September 2022. The ransomware group does not utilize the Ransomware-as-a-Service business model, and they do not target specific sectors or countries. Notable targets are critical infrastructure sectors in the United States and Brazil. It is estimated that Royal ransomware impacted more than 70 organizations worldwide.


Figure 1: Distribution of Royal Ransomware Attacks by Countries [2]

Royal ransomware threat actors use the double extortion method by both stealing and encrypting their victims" data. The exfiltrated data is used as proof of infection and the threat of releasing sensitive data to the public to pressure the victims to pay the ransom demanded. After encrypting their victims" data, Royal ransomware appends the encrypted files with the "royal_u" file extension and leaves a ransom note. The ransom demands range between $1 million and $11 million in Bitcoin.

Royal ransomware developers, who used to be part of the Conti ransomware, quickly incorporate new techniques into their ransomware attacks. For this reason, analysis shows multiple initial access and defense evasion techniques in different attack campaigns. 

TTPs Used by Royal Ransomware

Tactic: Initial Access & Persistence

T1133 External Remote Services

Royal ransomware threat actors utilize remote monitoring and management (RMM) software to gain initial access to their victims" computers. Threat actors convince their victims to install RMM software using social engineering. This technique also allows adversaries to establish persistence in the victims" systems.

T1190 Exploit Public-Facing Application

Adversaries exploit vulnerable VMware ESXi servers to gain initial access. Many other ransomware variants also abuse similar vulnerabilities, and organizations are advised to patch their vulnerable ESXi servers.

T1566 Phishing

Royal ransomware attackers use phishing emails with malicious attachments and malvertisement links. Phishing emails are used to lure victims into installing RMM software. 

Tactic: Execution

T1059 Command and Scripting Interpreter

Royal ransomware uses batch scripts to execute commands in infected systems. These scripts help adversaries to 

  • add new users to the infected system (T1078 Valid Accounts)
  • force group policy update (T1484 Domain Policy Modification)
  • run reconnaissance and collect information about the victim (T1119 Automated Collection)
  • download additional malware to establish persistence (T1105 Ingress Tool Transfer)
  • delete malicious artifacts to avoid further analysis (T1070 Indicator Removal)

Tactic: Defense Evasion

T1562: Impair Defenses & T1484 Domain Policy Modification

Royal ransomware threat actors disable antivirus software and subvert antivirus protocols to avoid detection during data encryption and exfiltration.

Tactic: Lateral Movement

T1021: Remote Services

Adversaries use PsExec, a Microsoft SysInternals tool, to move laterally in the victim"s network. In some cases, threat actors compromised the domain controller via valid accounts.

Tactic: Command and Control (C2)

T1105 Ingress Tool Transfer

Royal ransomware threat actors transfer additional malware and RMM software such as AnyDesk, Atera, and LogMeIn from their C2 servers after they gain access to the victims" systems.

T1572 Protocol Tunneling

Adversaries use an open-source tunneling tool named Chisel to communicate with their C2 servers. The communication is secured via SSH.

Tactic: Exfiltration

T1041 Exfiltration over C2 Channel

Royal ransomware uses Cobalt Strike, MegaCMD, rclone, SharpExfil, and Ursnif/Gozi for data exfiltration to their C2 servers.

Tactic: Impact

T1486 Data Encrypted for Impact

Royal ransomware uses a custom encryption method that partially encrypts the files based on their file size to avoid detection. The partial encryption is based on the "ep" parameter used when executing the ransomware payload.

  • If the file size is smaller than 5245 MB or "ep" is set to 100, the entire file is encrypted.
  • If the file size is larger than 5245 MB and "ep" is not set to 100, the file is encrypted by the percentage of the "ep" parameter. 
  • If the file size is larger than 5245 MB and there is no "ep" parameter, 50% of the file is encrypted.

The ransomware uses Windows Restart Manager to identify files in use or blocked by other applications.

T1490 Inhibit System Recovery

Royal ransomware uses vssadmin, Windows Volume Shadow Copy service, to delete volume shadow copies. This action prevents victims from using the built-in recovery system to recover the encrypted files.

How Picus Helps Simulate Royal Ransomware Attacks?

We also strongly suggest simulating Royal ransomware attacks to test the effectiveness of your security controls against ransomware attacks using the Picus The Complete Security Validation Platform. You can also test your defenses against hundreds of other ransomware, such as Conti, Zeon, and ESXiArgs, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Royal ransomware

Threat ID

Threat Name

Attack Module


Royal Ransomware Download Threat

Network Infiltration


Royal Ransomware Email Threat

Email Infiltration (Phishing)

Moreover, Picus Threat Library contains 150+ threats containing 1500+ web application and vulnerability exploitation attacks in addition to 3500+ endpoint, malware, email, and data exfiltration threats as of today.

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Royal ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Royal ransomware:

Security Control

Signature ID

Signature Name

Check Point NGFW



Check Point NGFW



Check Point NGFW



Forcepoint NGFW



Fortigate AV



Fortigate AV





MALWARE:  Malicious File Detected by GTI

Palo Alto NGFW



Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof Picus The Complete Security Validation Platform.


[1] "#StopRansomware: Royal Ransomware," Cybersecurity and Infrastructure Security Agency CISA. [Online]. Available: [Accessed: Mar. 04, 2023]

[2] "Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks," Trend Micro, Dec. 21, 2022. [Online]. Available: [Accessed: Mar. 04, 2023]