{"id":13664,"date":"2023-01-04T19:18:54","date_gmt":"2023-01-04T19:18:54","guid":{"rendered":"https:\/\/igotoffer.com\/blog\/?p=13664"},"modified":"2023-11-16T03:53:37","modified_gmt":"2023-11-16T03:53:37","slug":"ransomware-named-royal-is-wreaking-havoc","status":"publish","type":"post","link":"https:\/\/igotoffer.com\/blog\/ransomware-named-royal-is-wreaking-havoc","title":{"rendered":"Ransomware Named Royal is Wreaking Havoc"},"content":{"rendered":"<h2>Behind the booming ransomware industry: How hackers hold businesses hostage [Video]<\/h2>\n<div class=\"ytb\">\n<p style=\"text-align: center;\"><iframe title=\"Behind the booming ransomware industry: How hackers hold businesses hostage | Business Beyond\" width=\"620\" height=\"349\" src=\"https:\/\/www.youtube.com\/embed\/HpJDa3J3lvU?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" allowfullscreen><\/iframe><\/p>\n<\/div>\n<p style=\"text-align: center;\">Video uploaded by <a class=\"yt-simple-endpoint style-scope yt-formatted-string\" href=\"https:\/\/www.youtube.com\/@dwnews\" target=\"_blank\" rel=\"noopener noreferrer\">DW News<\/a> on <strong class=\"watch-time-text\">September 4, 2021<\/strong><\/p>\n<h2>Ransomware Named Royal is Wreaking Havoc Targeting Corporations<\/h2>\n<p>A ransomware operation named Royal is wreaking havoc, primarily targeting corporations with ransom demands ranging from $250,000 to over $2 million. The malware is being used by many hacker groups across the UK to successfully penetrate networks using Google ads and search results. The hackers use &#8220;free&#8221; software download site which oftentimes look very legitimate to trick users into downloading the malware.<\/p>\n<p>They also use contact forms on business websites, emails, fake forum comments, and blog posts. This malware is relatively new, first flagged at the start of 2022 and it is used to gain access to a victim\u2019s environment, encrypt their data, and extort a ransom to return access to any files touched. The hacker group often uses callback phishing attacks where they impersonate food delivery or software providers in emails pretending to be subscription renewals. They often include a contact number in these phishing emails victim can contact to cancel the subscription service. When a victim calls the number, the group uses &#8220;social engineering&#8221; to convince the victim to install remote access software, which is used to gain initial access to the network. Once they gain access, they use Cobalt Strike, steal credentials, and spread through the Windows domain, steal data, and ultimately encrypt devices.<\/p>\n<div id=\"attachment_13718\" style=\"width: 830px\" class=\"wp-caption aligncenter\"><img aria-describedby=\"caption-attachment-13718\" loading=\"lazy\" class=\"size-full wp-image-13718\" src=\"https:\/\/igotoffer.com\/blog\/wp-content\/uploads\/2022\/12\/ransomware-named-royal-is-wreaking-havoc-ext.png\" alt=\"This &quot;Royal&quot; ransomware encrypts files and changes all the files extensions to &quot;.royal&quot; and an updated version of the same malware changes file extensions to &quot;.royal_w&quot; extension. It also creates a text file (named &quot;README.TXT&quot;) containing a ransom note.\" width=\"820\" height=\"500\" srcset=\"https:\/\/igotoffer.com\/blog\/wp-content\/uploads\/2022\/12\/ransomware-named-royal-is-wreaking-havoc-ext.png 820w, https:\/\/igotoffer.com\/blog\/wp-content\/uploads\/2022\/12\/ransomware-named-royal-is-wreaking-havoc-ext-300x183.png 300w, https:\/\/igotoffer.com\/blog\/wp-content\/uploads\/2022\/12\/ransomware-named-royal-is-wreaking-havoc-ext-620x378.png 620w, https:\/\/igotoffer.com\/blog\/wp-content\/uploads\/2022\/12\/ransomware-named-royal-is-wreaking-havoc-ext-246x150.png 246w, https:\/\/igotoffer.com\/blog\/wp-content\/uploads\/2022\/12\/ransomware-named-royal-is-wreaking-havoc-ext-600x366.png 600w\" sizes=\"(max-width: 820px) 100vw, 820px\" \/><p id=\"caption-attachment-13718\" class=\"wp-caption-text\">This &#8220;Royal&#8221; ransomware encrypts files and changes all the files extensions to &#8220;.royal&#8221; and an updated version of the same malware changes file extensions to &#8220;.royal_w&#8221; extension. It also creates a text file (named &#8220;README.TXT&#8221;) containing a ransom note.<\/p><\/div>\n<p>This &#8220;Royal&#8221; ransomware encrypts files and changes all the files extensions to &#8220;.royal&#8221; and an updated version of the same malware changes file extensions to &#8220;.royal_w&#8221; extension. It also creates a text file (named &#8220;README.TXT&#8221;) containing a ransom note. This is similar to BlackCat and ZEON ransomwares that generate similar ransom notes in their attacks. An example of how Royal ransomware renames files: it changes &#8220;1.jpg&#8221; to &#8220;1.jpg.royal&#8221;, &#8220;2.png&#8221; to &#8220;2.png.royal&#8221;, &#8220;3.exe&#8221; to &#8220;3.exe.royal&#8221;. The ransom note states that victims cannot access their files because they are encrypted and goes on to threaten that all files may be published online and become accessible to other cybercriminals, government institutions, and everyone else. In the ransom note, the group threatens not only to release data captured from the victim, but also putting a victim\u2019s data out of reach via encryption unless the ransom demand is met which is &#8220;double extortion.&#8221; The group also suggests that this ordeal is simply a &#8220;pentesting service&#8221; and in what appears to be tongue-in-cheek offers to provide the victim with a &#8220;security review.&#8221; The ransom note also contains a link to the victim&#8217;s private Tor negotiation page.<\/p>\n<div id=\"attachment_13719\" style=\"width: 830px\" class=\"wp-caption aligncenter\"><img aria-describedby=\"caption-attachment-13719\" loading=\"lazy\" class=\"size-full wp-image-13719\" src=\"https:\/\/igotoffer.com\/blog\/wp-content\/uploads\/2022\/12\/ransomware-named-royal-is-wreaking-havoc-tor.png\" alt=\"A Tor negotiation site is just a chat screen where the victim can communicate with the Royal ransomware attackers. The attackers are known to demand a ransom between $250,000 and over $2 million.\" width=\"820\" height=\"500\" srcset=\"https:\/\/igotoffer.com\/blog\/wp-content\/uploads\/2022\/12\/ransomware-named-royal-is-wreaking-havoc-tor.png 820w, https:\/\/igotoffer.com\/blog\/wp-content\/uploads\/2022\/12\/ransomware-named-royal-is-wreaking-havoc-tor-300x183.png 300w, https:\/\/igotoffer.com\/blog\/wp-content\/uploads\/2022\/12\/ransomware-named-royal-is-wreaking-havoc-tor-620x378.png 620w, https:\/\/igotoffer.com\/blog\/wp-content\/uploads\/2022\/12\/ransomware-named-royal-is-wreaking-havoc-tor-246x150.png 246w, https:\/\/igotoffer.com\/blog\/wp-content\/uploads\/2022\/12\/ransomware-named-royal-is-wreaking-havoc-tor-600x366.png 600w\" sizes=\"(max-width: 820px) 100vw, 820px\" \/><p id=\"caption-attachment-13719\" class=\"wp-caption-text\">A Tor negotiation site is just a chat screen where the victim can communicate with the Royal ransomware attackers. The attackers are known to demand a ransom between $250,000 and over $2 million.<\/p><\/div>\n<p>A Tor negotiation site is just a chat screen where the victim can communicate with the Royal ransomware attackers. The attackers are known to demand a ransom between $250,000 and over $2 million. They may also decrypt a few files for the victims to prove their decryptor works and share file lists of the stolen data. Research into this ransomware has shown that the ransomware is a 64-bit Windows executable written in C++, launched via command line which would suggest that it is programmed to be run via an operator after access to network through another method. The attackers make users to download the embedded in the BATLOADER and once launched it uses MSI Custom Actions to launch malicious PowerShell activity or run batch scripts to aid in disabling security solutions and lead to the delivery of various encrypted malware payloads that are decrypted and launched with PowerShell commands. In addition to this, the hackers also use NSudo to launch programs with special privileges and bypass security by adding registry values that are designed to disable antivirus softwares in the victim\u2019s computer. Microsoft is tracking this malware codenamed DEV-0569 and say that the ransomware activity is on the rise and many corporations have fallen victim to this type of attack. Microsoft suggests users to use updated network protection and Microsoft Defender SmartScreen to help thwart malicious link access. Microsoft Defender for Office 365 can help flagging phishing emails and URL for known patterns.<\/p>\n<p>Since DEV-0569\u2019s phishing scheme abuses legitimate services, organizations can also leverage mail flow rules to capture suspicious keywords or review broad exceptions, such as those related to IP ranges and domain-level allow lists. Enabling Safe Links for emails, Microsoft Teams, and Office Apps can also help address this threat. Avoiding the use of domain-wide, admin-level service accounts and restricting local administrative privileges can also curb the attacks by avoiding installation of unwanted applications. The company also suggests users to enable cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus as this enable the AI to quickly identify and stop new and unknown threats.<\/p>\n<h2>Links<\/h2>\n<ul>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/new-royal-ransomware-emerges-in-multi-million-dollar-attacks\/\" target=\"_blank\" rel=\"noopener noreferrer\">New Royal Ransomware emerges in multi-million dollar attacks<\/a> &#8211; BleepingComputer<\/li>\n<li><a href=\"https:\/\/igotoffer.com\" target=\"_blank\" rel=\"noreferrer noopener\">Sell your pre-owned device online<\/a> &#8211; iGotOffer<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Behind the booming ransomware industry: How hackers hold businesses hostage [Video] Video uploaded by DW News on September 4, 2021 Ransomware Named Royal is Wreaking Havoc Targeting Corporations A ransomware operation named Royal is wreaking havoc, primarily targeting corporations with ransom demands ranging from $250,000 to over $2 million. The malware is being used by [&hellip;]<\/p>\n","protected":false},"author":7,"featured_media":13716,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[460],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v19.0 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Ransomware Named Royal is Wreaking Havoc | iGotOffer<\/title>\n<meta name=\"description\" content=\"A ransomware operation named Royal is wreaking havoc, targeting corporations with ransom demands ranging from $250,000 to over $2 million.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/igotoffer.com\/blog\/ransomware-named-royal-is-wreaking-havoc\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Ransomware Named Royal is Wreaking Havoc | iGotOffer\" \/>\n<meta property=\"og:description\" content=\"A ransomware operation named Royal is wreaking havoc, targeting corporations with ransom demands ranging from $250,000 to over $2 million.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/igotoffer.com\/blog\/ransomware-named-royal-is-wreaking-havoc\" \/>\n<meta property=\"og:site_name\" content=\"iGotOffer Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/iGotOffer\" \/>\n<meta property=\"article:published_time\" content=\"2023-01-04T19:18:54+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-11-16T03:53:37+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/igotoffer.com\/blog\/wp-content\/uploads\/2022\/12\/ransomware-named-royal-is-wreaking-havoc.png\" \/>\n\t<meta property=\"og:image:width\" content=\"820\" \/>\n\t<meta property=\"og:image:height\" content=\"500\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@iGotOffer\" \/>\n<meta name=\"twitter:site\" content=\"@iGotOffer\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"author author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/igotoffer.com\/blog\/#website\",\"url\":\"https:\/\/igotoffer.com\/blog\/\",\"name\":\"iGotOffer Blog\",\"description\":\"News and reviews about electronics &amp; apps\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/igotoffer.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/igotoffer.com\/blog\/ransomware-named-royal-is-wreaking-havoc#primaryimage\",\"url\":\"https:\/\/igotoffer.com\/blog\/wp-content\/uploads\/2022\/12\/ransomware-named-royal-is-wreaking-havoc.png\",\"contentUrl\":\"https:\/\/igotoffer.com\/blog\/wp-content\/uploads\/2022\/12\/ransomware-named-royal-is-wreaking-havoc.png\",\"width\":820,\"height\":500,\"caption\":\"Ransomware Named Royal is Wreaking Havoc\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/igotoffer.com\/blog\/ransomware-named-royal-is-wreaking-havoc#webpage\",\"url\":\"https:\/\/igotoffer.com\/blog\/ransomware-named-royal-is-wreaking-havoc\",\"name\":\"Ransomware Named Royal is Wreaking Havoc | iGotOffer\",\"isPartOf\":{\"@id\":\"https:\/\/igotoffer.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/igotoffer.com\/blog\/ransomware-named-royal-is-wreaking-havoc#primaryimage\"},\"datePublished\":\"2023-01-04T19:18:54+00:00\",\"dateModified\":\"2023-11-16T03:53:37+00:00\",\"author\":{\"@id\":\"https:\/\/igotoffer.com\/blog\/#\/schema\/person\/b645d3b30dfcc19d397ec51499cb0b67\"},\"description\":\"A ransomware operation named Royal is wreaking havoc, targeting corporations with ransom demands ranging from $250,000 to over $2 million.\",\"breadcrumb\":{\"@id\":\"https:\/\/igotoffer.com\/blog\/ransomware-named-royal-is-wreaking-havoc#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/igotoffer.com\/blog\/ransomware-named-royal-is-wreaking-havoc\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/igotoffer.com\/blog\/ransomware-named-royal-is-wreaking-havoc#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/igotoffer.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Ransomware Named Royal is Wreaking Havoc\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/igotoffer.com\/blog\/#\/schema\/person\/b645d3b30dfcc19d397ec51499cb0b67\",\"name\":\"author author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/igotoffer.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/9a751e7e33f98c8ee4441814a9bdf2e4?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/9a751e7e33f98c8ee4441814a9bdf2e4?s=96&d=mm&r=g\",\"caption\":\"author author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Ransomware Named Royal is Wreaking Havoc | iGotOffer","description":"A ransomware operation named Royal is wreaking havoc, targeting corporations with ransom demands ranging from $250,000 to over $2 million.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/igotoffer.com\/blog\/ransomware-named-royal-is-wreaking-havoc","og_locale":"en_US","og_type":"article","og_title":"Ransomware Named Royal is Wreaking Havoc | iGotOffer","og_description":"A ransomware operation named Royal is wreaking havoc, targeting corporations with ransom demands ranging from $250,000 to over $2 million.","og_url":"https:\/\/igotoffer.com\/blog\/ransomware-named-royal-is-wreaking-havoc","og_site_name":"iGotOffer Blog","article_publisher":"https:\/\/www.facebook.com\/iGotOffer","article_published_time":"2023-01-04T19:18:54+00:00","article_modified_time":"2023-11-16T03:53:37+00:00","og_image":[{"width":820,"height":500,"url":"https:\/\/igotoffer.com\/blog\/wp-content\/uploads\/2022\/12\/ransomware-named-royal-is-wreaking-havoc.png","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_creator":"@iGotOffer","twitter_site":"@iGotOffer","twitter_misc":{"Written by":"author author","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/igotoffer.com\/blog\/#website","url":"https:\/\/igotoffer.com\/blog\/","name":"iGotOffer Blog","description":"News and reviews about electronics &amp; apps","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/igotoffer.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/igotoffer.com\/blog\/ransomware-named-royal-is-wreaking-havoc#primaryimage","url":"https:\/\/igotoffer.com\/blog\/wp-content\/uploads\/2022\/12\/ransomware-named-royal-is-wreaking-havoc.png","contentUrl":"https:\/\/igotoffer.com\/blog\/wp-content\/uploads\/2022\/12\/ransomware-named-royal-is-wreaking-havoc.png","width":820,"height":500,"caption":"Ransomware Named Royal is Wreaking Havoc"},{"@type":"WebPage","@id":"https:\/\/igotoffer.com\/blog\/ransomware-named-royal-is-wreaking-havoc#webpage","url":"https:\/\/igotoffer.com\/blog\/ransomware-named-royal-is-wreaking-havoc","name":"Ransomware Named Royal is Wreaking Havoc | iGotOffer","isPartOf":{"@id":"https:\/\/igotoffer.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/igotoffer.com\/blog\/ransomware-named-royal-is-wreaking-havoc#primaryimage"},"datePublished":"2023-01-04T19:18:54+00:00","dateModified":"2023-11-16T03:53:37+00:00","author":{"@id":"https:\/\/igotoffer.com\/blog\/#\/schema\/person\/b645d3b30dfcc19d397ec51499cb0b67"},"description":"A ransomware operation named Royal is wreaking havoc, targeting corporations with ransom demands ranging from $250,000 to over $2 million.","breadcrumb":{"@id":"https:\/\/igotoffer.com\/blog\/ransomware-named-royal-is-wreaking-havoc#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/igotoffer.com\/blog\/ransomware-named-royal-is-wreaking-havoc"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/igotoffer.com\/blog\/ransomware-named-royal-is-wreaking-havoc#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/igotoffer.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Ransomware Named Royal is Wreaking Havoc"}]},{"@type":"Person","@id":"https:\/\/igotoffer.com\/blog\/#\/schema\/person\/b645d3b30dfcc19d397ec51499cb0b67","name":"author author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/igotoffer.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/9a751e7e33f98c8ee4441814a9bdf2e4?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/9a751e7e33f98c8ee4441814a9bdf2e4?s=96&d=mm&r=g","caption":"author author"}}]}},"_links":{"self":[{"href":"https:\/\/igotoffer.com\/blog\/wp-json\/wp\/v2\/posts\/13664"}],"collection":[{"href":"https:\/\/igotoffer.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/igotoffer.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/igotoffer.com\/blog\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/igotoffer.com\/blog\/wp-json\/wp\/v2\/comments?post=13664"}],"version-history":[{"count":4,"href":"https:\/\/igotoffer.com\/blog\/wp-json\/wp\/v2\/posts\/13664\/revisions"}],"predecessor-version":[{"id":14606,"href":"https:\/\/igotoffer.com\/blog\/wp-json\/wp\/v2\/posts\/13664\/revisions\/14606"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/igotoffer.com\/blog\/wp-json\/wp\/v2\/media\/13716"}],"wp:attachment":[{"href":"https:\/\/igotoffer.com\/blog\/wp-json\/wp\/v2\/media?parent=13664"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/igotoffer.com\/blog\/wp-json\/wp\/v2\/categories?post=13664"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/igotoffer.com\/blog\/wp-json\/wp\/v2\/tags?post=13664"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}