Ransomware attacks have been on the rise in recent years, inflicting significant damage on businesses, governments, and other organizations around the world. One of the most active and destructive ransomware variants in 2022 was Royal ransomware.
What is Royal ransomware?
Royal ransomware is a form of malware that encrypts files on infected systems and demands a ransom payment in cryptocurrency to restore access. It emerged in 2022 and has quickly become a major threat. Some key characteristics of Royal ransomware include:
- Encrypts a wide range of file types on local drives and networked shares
- Appends the .royal file extension to encrypted files
- Leaves ransom notes named DECRYPT-FILES.txt on each affected system
- Demands ransom payments starting in the range of $2500 – $5000
- Threatens to leak and sell data if ransom isn’t paid
- Written in Rust programming language
Royal ransomware is professionally developed malware with robust encryption and evasion capabilities. It gains access to organizations through breached remote desktop connections, phishing emails, exploits, and managed service providers.
Is Royal ransomware Russian?
Determining the origin and authorship of ransomware can be challenging since threat actors go to great lengths to hide their identities and locations. However, security researchers have uncovered possible clues about Royal ransomware’s origins:
- Code similarities with other Russian-developed ransomware strains like HermeticWiper and Industroyer
- Ransom notes written in Russian as well as English
- Affiliations with Russian cybercriminal forums
- Targeting of countries like Ukraine that are in conflict with Russia
Based on these factors, many cybersecurity experts assess with medium to high confidence that Royal ransomware has links to Russia. The ransomware is believed to be authored by or closely affiliated with cybercriminals based in Russia or Russian-speaking countries.
Hallmarks of Russian ransomware operations
In addition to Royal ransomware, security researchers have connected other notorious ransomware strains like Ryuk, Conti, and REvil to Russian cybercriminal networks. These operations tend to demonstrate similar hallmarks:
- Sophisticated, modular code developed with programming languages like Rust, C++, Go
- Initial access often gained through exploits of public-facing servers like RDP
- Targeted, intranet-spreading capabilities to infect entire networks
- Double extortion tactics threatening to leak data
- Ransom demands in the millions of dollars
- Crypto-currency transactions obfuscated through mixers and tumblers
- Russian or Russian-translated ransom notes
The capabilities and tactics of Royal ransomware align closely with these hallmarks, further substantiating its suspected Russian roots. Researchers have also found notable code overlap between Royal and other Russian ransomware families.
Possible Russian government ties
While firm attribution is difficult, some security experts also suspect possible ties between Russian ransomware groups and Russian government intelligence agencies. Reasons for these suspicions include:
- Targeting of organizations in countries at odds with Russian interests
- Focus on critical infrastructure like energy and healthcare
- Use of advanced hacking tools and zero-days
- Apparent immunity from prosecution in Russia
The Kremlin denies any affiliation with cybercriminals. However, overlaps between sophisticated ransomware operations and Russian state interests have raised eyebrows. Some allege Russia may turn a blind eye toward or even tacitly approve cyberattacks that damage its perceived enemies abroad.
Royal ransomware targets
Examining the industries and geographies targeted by Royal ransomware could provide further clues about the ransomware’s origins. Researchers have observed Royal ransomware attacks hitting organizations in sectors like:
- Information technology
- Telecommunications
- Healthcare
- Critical manufacturing
- Finance
Many of these sectors provide critical infrastructure capabilities. Target locations have spanned the United States, Canada, Germany, Austria, and other countries. Interestingly, researchers so far have not uncovered public reports of Royal ransomware attacks targeting Russia or allies like Belarus.
Affiliations with Russian cybercriminals
Royal ransomware also appears to have ties to Russian-speaking cybercriminal forums, hacking communities, and malware developers. For instance:
- Royal ransomware was advertised for sale on Russian cybercrime forums
- Royal ransom notes reference the Russian 0day.today forum
- An early version of Royal contained debug strings in Russian
- Royal code has similarities with other malware like HDDCryptor authored by Russian hackers
These connections with known Russian malicious actors lend credence to assessments of Royal ransomware’s national origin.
Challenges attributing ransomware
Despite clues pointing to Russia, definitively proving Royal ransomware’s origins and affiliations is difficult. Ransomware threat actors go to extensive lengths to cover their tracks. Challenges attributing ransomware include:
- Use of pseudonyms and anonymous accounts on cybercrime forums
- Obfuscated bitcoin wallets and transactions
- False flags and misdirection in malware code and ransom notes
- Use of anonymizing VPNs and infrastructure
- Collaboration across international borders
Threat groups also periodically sell or lease their malware to others, complicating tracking. Attribution is ultimately best framed as an ongoing probability rather than a black-and-white answer. The preponderance of evidence suggests Royal ransomware has strong ties to Russia, but its exact origins cannot be conclusively proven.
Impact of Royal ransomware
Regardless of its origins, Royal ransomware has made a highly disruptive impact across the globe in 2022. Some examples of Royal ransomware attacks include:
- Logistics company in Germany suffered a week of outages costing over $4 million
- Canadian telco cooperative lost connectivity for tens of thousands of customers
- US healthcare network’s systems encrypted, delaying exams and treatments
- Automotive supplier in Austria halted assembly lines
- Australian airline passenger reservation systems knocked offline
These incidents illustrate how a single ransomware strain can cause extensive economic and social damage. Based on Crowdstrike’s 2022 ransomware index, Royal was responsible for 7% of all observed ransomware attacks in the first half of 2022.
Ransom demands
Royal ransomware operators demand hefty ransom payments from victim organizations, threatening to leak data if organizations don’t comply. Reported ransom demands from Royal ransomware include:
| Victim | Ransom Demand |
| US law firm | $5 million |
| UK supermarket chain | $8 million |
| Canadian manufacturing firm | $1.2 million |
| Australian insurance company | $6.5 million |
As these examples illustrate, Royal ransom demands typically range from one to tens of millions of dollars. The highest reported Royal ransom request so far is $14 million from a US hospitality organization.
Data leakage and extortion
Making matters worse, roughly 60% of Royal ransomware attacks also involve threats to publish sensitive stolen data on leak sites if the ransom isn’t paid. For example, the group leaked schematics, client data, and other confidential information exfiltrated from victims including:
- Aerospace manufacturing firm
- Canadian telco
- US healthcare provider
- European automotive company
This double extortion tactic gives Royal even more leverage to extort ransoms from its victims. Leaked data can also enable follow-on attacks and compliance penalties for victim organizations.
Connection to Russia’s invasion of Ukraine
Russia’s ongoing invasion of Ukraine has also provided clues around Royal ransomware’s origins and purpose. In particular:
- Royal ransomware deployed along with data wiper malware at the onset of Russia’s invasion of Ukraine in February 2022
- Wiper malware named HermeticWiper has code overlap with Royal, indicating shared developers
- Russia-aligned ransomware groups like Conti openly pledged support for the invasion
- Royal and other ransomware has disproportionately targeted Ukraine organizations
These factors lend credence to assessments that Russia tacitly enables ransomware attacks on its geopolitical foes. The close timing between destructive cyberattacks on Ukraine and Russia’s physical invasion supports possible coordination and shared objectives between the Russian state and ransomware groups like the one behind Royal.
Targeting of Ukrainian infrastructure
In the initial days of Russia’s invasion of Ukraine, Royal ransomware was deployed alongside data wipers to target Ukrainian organizations in sectors like:
- Government agencies
- Military
- Transportation
- Energy
- Finance
These attacks sought to degrade Ukraine’s critical infrastructure as Russian military forces advanced. The timing and target alignment with Russian strategic objectives suggest possible coordination between Russian military planners and contractors deploying Royal ransomware.
Pledges of support from Russian ransomware groups
Several Russia-linked cybercrime groups publicly pledged support for Russia after the invasion and threatened retaliatory attacks against countries who opposed the invasion. For example:
- Conti ransomware group promised to “use all our possible resources to strike back at the critical infrastructures of an enemy” if Russia was attacked
- REvil ransomware operators voiced support for Russia’s invasion on cybercrime forums
- LockBit ransomware said it would target NATO member organizations
These pronouncements further highlight the blurred lines between cybercriminals and state interests in Russia. Even if not directly working with the Kremlin, many ransomware groups still sympathize with and strive to align with Russian foreign policy priorities.
Forensic analysis tracing Royal to Russia
In addition to circumstantial evidence, cybersecurity researchers have uncovered forensic evidence help trace Royal ransomware operations back to Russia. For instance:
- VirusTotal submissions of Royal ransomware samples from Russian IP addresses
- Russian language PDB file paths found within Royal malware code
- Russian registrant info in Royal command and control domain names
- Russian names used in Royal malware certificates
Digging into the code and infrastructure reveals Russian language artifacts and connections pointing back to threat actors in Russia or closely affiliated with the country. These forensic links provide direct technical evidence corroborating Royal ransomware’s suspected Russian origins.
VirusTotal submissions
VirusTotal is a malware analysis platform that scans submitted files and URLs. Security researchers have identified Royal ransomware samples uploaded to VirusTotal from IP addresses allocated to Russia-based internet service providers like Transtelecom, Yandex, and Selectel. This reveals Royal ransomware operation directly from Russian soil.
Russian language PDB strings
PDB (program database) paths provide details about where software projects were compiled. Several Royal ransomware samples contained Russian language PDB paths, for instance:
- D:\Projects\Royal\Bot\Release\rl_bot.pdb
- D:\Projects\Royal\Client\Release\rl.pdb
These PDB strings indicate at least portions of Royal ransomware were compiled on machines with Russian language settings, likely by developers in Russia.
WHOIS info in C2 domains
Looking up WHOIS registration records for Royal ransomware command and control (C2) domains also turns up Russian connections. Royal C2 domains like royal-ransom[.]net and fsrdoJJDFG13[.]com were registered using bogus corporate info, but with mailing addresses and phone numbers in Russia.
Code signing certificates
Royal ransomware executables were signed using fraudulent code signing certificates. While pretend company names were used, the actor “Sofiya Komisarchik” signed several Royal ransomware samples. Sofiya is a common Russian female first name, providing another linguistic clue.
Conclusion
Tracing ransomware origins is an ongoing detective effort, but an accumulation of evidence strongly ties Royal ransomware to threat actors and infrastructure in Russia. Key takeaways around Royal ransomware’s suspected Russian roots include:
- Code similarities with known Russian ransomware families like HermeticWiper
- Targeting of countries and industries in conflict with Russian interests
- Infrastructure and linguistic artifacts point back to Russia
- Affiliations with Russian cybercriminal forums and malware devs
- Emerged amid Russia’s invasion of Ukraine alongside data wipers
While absolute proof is elusive, Russian responsibility for Royal ransomware seems likely given the myriad technical, geopolitical, and tactical links uncovered by researchers. This provides context around the threat and Russia’s apparent pattern of enabling or tacitly approving such disruptive attacks against its adversaries.
