Threat Actor Profile
High
Cybercriminal
Description
According to Trendmicro, Royal ransomware was first observed in September 2022, and the threat actors behind it are believed to be seasoned cybercriminals who used to be part of Conti Team One.
Confidence Score
Tags
ransomware
ransomware.live
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (19)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': None,
'client': '2003264@sit.singaporetech.edu.sg',
'description': 'According to Trendmicro, Royal ransomware was first observed '
'in September 2022, and the threat actors behind it are '
'believed to be seasoned cybercriminals who used to be part of '
'Conti Team One.',
'firstseen': '2022-11-04T17:45:54.406158+00:00',
'group': 'royal',
'has_negotiations': False,
'has_ransomnote': True,
'lastseen': '2023-07-19T01:02:03.456789+00:00',
'locations': [{'available': False,
'fqdn': 'royal4ezp7xrbakkus3oofjw6gszrohpodmdnfbe5e4w3og5sm7vb3qd.onion',
'slug': 'http://royal4ezp7xrbakkus3oofjw6gszrohpodmdnfbe5e4w3og5sm7vb3qd.onion/api/posts/list',
'title': '',
'type': 'DLS'},
{'available': False,
'fqdn': 'royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onion',
'slug': 'http://royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onion',
'title': 'Royal',
'type': 'Chat'}],
'negotiation_count': 0,
'ransomnotes_count': 1,
'tiaras_metadata': {'has_negotiations': False,
'has_ransomnote': True,
'locations': [{'available': False,
'fqdn': 'royal4ezp7xrbakkus3oofjw6gszrohpodmdnfbe5e4w3og5sm7vb3qd.onion',
'slug': 'http://royal4ezp7xrbakkus3oofjw6gszrohpodmdnfbe5e4w3og5sm7vb3qd.onion/api/posts/list',
'title': '',
'type': 'DLS'},
{'available': False,
'fqdn': 'royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onion',
'slug': 'http://royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onion',
'title': 'Royal',
'type': 'Chat'}],
'negotiation_count': 0,
'ransomnotes_count': 1,
'ransomware_live_group': 'royal',
'tools': {'CredentialTheft': ['Mimikatz',
'NirSoft Dialupass',
'NirSoft IEPassView (iepv)',
'NirSoft MailPassView',
'NirSoft Netpass',
'NirSoft RouterPassView'],
'DefenseEvasion': ['Eraser',
'GMER',
'NSudo',
'PowerTool'],
'DiscoveryEnum': ['AdFind',
'Advanced IP Scanner',
'SharpShares',
'SoftPerfect NetScan'],
'Exfiltration': ['RClone'],
'LOLBAS': ['PsExec'],
'Networking': ['Chisel',
'Cloudflared',
'OpenSSH'],
'Offsec': ['Brute Ratel C4', 'Cobalt Strike'],
'RMM-Tools': ['AnyDesk',
'Atera',
'LogMeIn',
'MobaXterm',
'Syncro']},
'url': 'https://www.ransomware.live/group/royal',
'victims': 211,
'vulnerabilities': []},
'tiaras_source': 'ransomware.live',
'tools': {'CredentialTheft': ['Mimikatz',
'NirSoft Dialupass',
'NirSoft IEPassView (iepv)',
'NirSoft MailPassView',
'NirSoft Netpass',
'NirSoft RouterPassView'],
'DefenseEvasion': ['Eraser', 'GMER', 'NSudo', 'PowerTool'],
'DiscoveryEnum': ['AdFind',
'Advanced IP Scanner',
'SharpShares',
'SoftPerfect NetScan'],
'Exfiltration': ['RClone'],
'LOLBAS': ['PsExec'],
'Networking': ['Chisel', 'Cloudflared', 'OpenSSH'],
'Offsec': ['Brute Ratel C4', 'Cobalt Strike'],
'RMM-Tools': ['AnyDesk', 'Atera', 'LogMeIn', 'MobaXterm', 'Syncro']},
'ttps': [{'tactic_id': 'TA0001',
'tactic_name': 'Initial Access',
'techniques': [{'technique_details': 'A spearphishing email was '
'sent to employees.',
'technique_id': 'T1566.001',
'technique_name': 'Phishing: Spearphishing '
'Attachment'}]},
{'tactic_id': 'TA0002',
'tactic_name': 'Execution',
'techniques': [{'technique_details': 'Qbot was launched through the '
'Windows Command Shell with '
'cmd.exe.',
'technique_id': 'T1059.003',
'technique_name': 'Command and Scripting '
'Interpreter: Windows Command '
'Shell'},
{'technique_details': 'Cobalt Strike was executed '
'through encoded PowerShell '
'commands.',
'technique_id': 'T1059.001',
'technique_name': 'Command and Scripting '
'Interpreter: PowerShell'}]},
{'tactic_id': 'TA0003',
'tactic_name': 'Persistence',
'techniques': [{'technique_details': 'Qbot DLL was added to '
'HKCUEY_CURRENT_USER '
'\\Software \\Microsoft '
'\\Windows \\CurrentVersion '
'\\Run.',
'technique_id': 'T1547.001',
'technique_name': 'Boot or Logon Autostart '
'Execution: Registry Run Keys / '
'Startup Folder'},
{'technique_details': 'Cobalt Strike was installed '
'as a Windows service on '
'multiple systems.',
'technique_id': 'T1543.003',
'technique_name': 'Create or Modify System Process: '
'Windows Service'}]},
{'tactic_id': 'TA0004',
'tactic_name': 'Privilege Escalation',
'techniques': [{'technique_details': 'Royal ransomware operators '
'used (privileged) domain '
'accounts for lateral '
'movement.',
'technique_id': 'T1078.002',
'technique_name': 'Domain Accounts'},
{'technique_details': 'Royal ransomware operations '
'executed a known UAC bypass '
'that abuses a default '
'scheduled task to launch '
'PowerShell with escalated '
'privileges.',
'technique_id': 'T1548.002',
'technique_name': 'Abuse Elevation Control '
'Mechanism: Bypass User Account '
'Control'}]},
{'tactic_id': 'TA0005',
'tactic_name': 'Defense Evasion',
'techniques': [{'technique_details': 'Password protected file '
'containing an ISO file with a '
'hidden file used in '
'combination with an LNK file '
'to execute Qbot.',
'technique_id': 'T1027.006',
'technique_name': 'Obfuscated Files or Information: '
'HTML Smuggling'},
{'technique_details': 'Royal ransomware operators '
'used domain accounts for '
'lateral movement.',
'technique_id': 'T1078.002',
'technique_name': 'Domain Accounts'},
{'technique_details': 'Qbot and Cobalt Strike were '
'both injected into legitimate '
'Windows processes.',
'technique_id': 'T1055',
'technique_name': 'Process Injection'}]},
{'tactic_id': 'TA0007',
'tactic_name': 'Discovery',
'techniques': [{'technique_details': 'The FindLocalAdmin '
'PowerSploit script was used '
'to find local administrator '
'accounts on '
'workstations/servers.',
'technique_id': 'T1087.001',
'technique_name': 'Account Discovery: Local '
'Account'},
{'technique_details': 'Users and groups were '
'enumerated with built-in '
'Windows utilities and with '
'AdFind software.',
'technique_id': 'T1087.002',
'technique_name': 'Account Discovery: Domain '
'Account'},
{'technique_details': 'Domain trust was enumerated '
'with built-in Windows '
'utilities.',
'technique_id': 'T1482',
'technique_name': 'Domain Trust Discovery'},
{'technique_details': 'Network shares were '
'enumerated with PowerSploit '
'software.',
'technique_id': 'T1135',
'technique_name': 'Network Share Discovery'}]},
{'tactic_id': 'TA0008',
'tactic_name': 'Lateral Movement',
'techniques': [{'technique_details': 'Remote admin shares C$ were '
'mounted from the Patient 0 '
'workstation.',
'technique_id': 'T1021.002',
'technique_name': 'Remote Services: SMB/Windows '
'Admin Shares'},
{'technique_details': 'The Royal ransomware '
'operators leveraged '
'credential hashes from '
'privileged accounts to '
'perform lateral movement.',
'technique_id': 'T1550.002',
'technique_name': 'Use Alternate Authentication '
'Material: Pass the Hash'},
{'technique_details': 'Several (privileged) domain '
'accounts were used during the '
'attack for lateral movement '
'and deployment of ransomware.',
'technique_id': 'T1078.002',
'technique_name': 'Valid Accounts: Domain '
'Accounts'}]},
{'tactic_id': 'TA0011',
'tactic_name': 'Command and Control',
'techniques': [{'technique_details': 'Cobalt Strike uses '
'peer-to-peer communication '
'over Windows named pipes '
'encapsulated in the SMB '
'protocol.',
'technique_id': 'T1071',
'technique_name': 'Application Layer Protocol'},
{'technique_details': 'Qbot and Cobalt Strike used '
'HTTPS traffic for their C2 '
'communication.',
'technique_id': 'T1071.001',
'technique_name': 'Application Layer Protocol: Web '
'Protocols'}]},
{'tactic_id': 'TA0010',
'tactic_name': 'Exfiltration',
'techniques': [{'technique_details': 'Royal ransomware operators '
'used Mega Cloud Storage and '
'Dropbox to exfiltrate data '
'from multiple hosts.',
'technique_id': 'T1567.002',
'technique_name': 'Exfiltration Over Web Service: '
'Exfiltration to Cloud Storage'}]},
{'tactic_id': 'TA0040',
'tactic_name': 'Impact',
'techniques': [{'technique_details': 'Royal ransomware encrypted '
'files on systems with the '
'.royal extension.',
'technique_id': 'T1486',
'technique_name': 'Data Encrypted for Impact'}]}],
'url': 'https://www.ransomware.live/group/royal',
'victims': 211,
'vulnerabilities': []}