Menu
Browse

Cyber Threat Actor: Royal ransomware

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Crime Syndicate
26 incidents
Profile

The Royal ransomware group, also known as Royal ransomware gang, Royal ransomware, Royal Team, or Royal Ransomware, operates as a financially motivated cybercriminal entity targeting healthcare, education, government, and financial sectors primarily in the United States. This group has conducted disruptive attacks on hospitals, school districts, municipal governments, and banks, encrypting systems and exfiltrating sensitive data to pressure victims into paying ransoms. Their operations have caused significant service interruptions, such as forcing hospitals to revert to paper records, disabling emergency dispatch systems, and halting court operations. The group publicly threatens to leak stolen data on dark web forums if ransom demands are not met, explicitly leveraging stolen personal information, financial documents, and medical records for extortion.

Royal employs ransomware that appends the ".Royal" extension to encrypted files and utilizes callback phishing campaigns for initial access, often impersonating service providers to trick employees into installing remote access tools. The group has exploited vulnerabilities in internet-facing systems, including the ProxyNotShell Microsoft Exchange flaws, and uses network printer ransom note distribution. They transitioned from using third-party encryptors like Zeon to their own proprietary ransomware. Royal affiliates have demonstrated capabilities in lateral movement within networks, data exfiltration prior to encryption, and operational disruption across multiple critical infrastructure sectors. The group's attacks on entities like the City of Dallas, Liberty Hospital, and Tucson Unified School District reflect a consistent pattern of targeting organizations with high operational reliance on digital systems to maximize extortion leverage. Law enforcement advisories attribute Royal's activities to criminal enterprises rather than state-sponsored groups, with some analysts suggesting potential links to remnants of the Conti cybercrime syndicate based on TTP similarities.

Incidents
Attributed incidents available to members
25 incidents
Sources
Sources available to members
40 sources