What country is Royal ransomware from?

Ransomware attacks have been on the rise in recent years, inflicting significant damage on businesses, governments, and individuals around the world. One of the most notorious ransomware variants is Royal ransomware, which first appeared in 2020 and has continued to evolve into new versions since then.

Background on Royal Ransomware

Royal ransomware is a form of malware that encrypts files on infected systems and demands a ransom payment in cryptocurrency to restore access. It typically spreads through phishing emails containing infected attachments or links to malicious websites.

Once installed, Royal ransomware encrypts files using robust encryption algorithms, leaving victims unable to access their data. A ransom note is left on the infected system with instructions for paying the ransom, usually demanding payment in Bitcoin. The ransom amounts typically range from $1000 to $10,000 or more.

Royal ransomware is considered a “human-operated” ransomware, meaning there are cybercriminals behind the attacks manually carrying out the infections, rather than just relying on automated malware. This makes Royal a more active and persistent threat.

Versions and Variants

There have been several different versions and variants of Royal ransomware observed since it first emerged, including:

  • Royal 1.0
  • Royal 2.0
  • Royal 2.5
  • Royal 3.0

Each version has included enhancements to make the ransomware more effective and evasive. For example, Royal 2.0 incorporated the ability to encrypt network shares to spread across systems more rapidly in a network environment.

Tactics and Targets

Royal ransomware operators typically gain initial access to target networks through phishing emails and exploits. Once inside, they use tools like Cobalt Strike and other penetration testing software to move laterally and deploy the ransomware payload across many systems.

Royal ransomware predominantly targets large organizations and businesses with the ability to pay larger ransoms, including:

  • Critical infrastructure organizations
  • Hospitals and healthcare providers
  • Schools and universities
  • State and local government agencies

These types of targets allow the criminals behind Royal to maximize their profits from the extortion scheme.

Origin and Attribution

Pinpointing the precise origin of any ransomware variant is challenging, as attackers often use technical means to disguise their identities and locations. However, cybersecurity researchers have uncovered clues about the likely country behind Royal ransomware.

Initial Activity in Asia

When Royal ransomware first emerged in 2020, researchers observed much of its activity concentrated in East and Southeast Asian countries, especially Taiwan, Hong Kong, Singapore, and South Korea.

This regional focus suggests Royal may have originated in an Asian country and initially targeted local organizations before expanding globally. The ransomware notes were also initially only in English and Chinese, indicating ties to China.

Shift to Russian-Speaking Actors

Over time, researchers started detecting clues that Royal ransomware had shifted from Asian actors to Russian-speaking ones:

  • Ransom notes added Russian language
  • Admin panels and other internal tools were in Russian
  • Malicious domains shifted to using .ru domains
  • Activity expanded heavily in Russia and former Soviet states

These signals indicate Russian cybercriminals likely acquired access to Royal malware and have continued developing and operating it. Such handing off of malware between different actors is common in the cybercrime ecosystem.

Ties to Russian Hackers Evgeniy Polyanin

Further analysis revealed potential connections between Royal ransomware and the notorious Russian hacker Evgeniy Polyanin, who is believed to be behind major ransomware strains like REvil.

Specifically, researchers identified code reuse and similarities between Royal and Polyanin’s malware, indicating he may be providing services or support for the Royal operations. Polyanin remains at large in Russia.

Evgeniy Polyanin Details
– 28 year old Russian hacker
– Specializes in ransomware development
– Affiliated with REvil, Sodinokibi, Gandcrab ransomware
– Added to FBI most wanted list

This further strengthens the likelihood that Russian actors are now behind Royal ransomware, even if the original source was in Asia.

Ongoing Threat

Royal ransomware remains an active and evolving threat, continuing to cause damage as ransomware attacks accelerate globally.

Some key points about the ongoing threat posed by Royal ransomware include:

  • Active development – Multiple new versions indicate continued investment in Royal’s capability.
  • Expanding targets – While initially focused on Asia, Royal now hits targets globally.
  • Higher ransom demands – Demands have increased from early versions, now up to $10 million in some cases.
  • Affiliate structure – Royal is now operated as an affiliate model, allowing more attackers to leverage it.

Recent High-Profile Attacks

Some notable recent attacks attributed to Royal ransomware include:

  • October 2022 – New York Presbyterian Hospital system crippled by Royal attack
  • September 2022 – Houston Jewish community center hit with $2 million ransom
  • July 2022 – Singapore electronics giant hit with $10 million ransom
  • June 2022 – Three major Costa Rican government agencies taken offline

These and other incidents show how destructive and far-reaching Royal ransomware campaigns have become.

Defending Against Royal Ransomware

Defending against advanced human-operated ransomware like Royal requires a combination of security measures and best practices:

  • Next-gen antivirus with ransomware detection
  • Email security and malware sandboxing
  • Vulnerability scanning and patching
  • Segmentation to limit lateral movement
  • Strict access controls through ACLs and MFA
  • Frequent backups stored offline and immutable
  • User education for phishing prevention
  • Incident response plan with reporting protocols

With an increasing number of ransomware attacks impacting countries worldwide, putting appropriate defenses in place is critical for avoiding becoming the next victim.


Royal ransomware remains a sophisticated and active threat, with evidence pointing to Russian cybercriminals as the likely operators. While the malware may have originated elsewhere, it is now aligned with Russian hacking groups and infrastructure. Royal continues to evolve with new variants that are broader in scope and have worse impacts on victims. By understanding the origin and tactics of Royal ransomware, organizations can better defend their systems against compromise.