article featured image


Earlier this year, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an advisory regarding the Royal Ransomware gang.

The Royal Ransomware group first appeared in the United States in September 2022—the U.S. Health and Human Services Cybersecurity Coordination Center issued a security alert to all healthcare organizations. Healthcare is one of Royal’s primary ransomware attack vectors, with healthcare victims already listed on the dark web

How does the attack usually happen? Basically, when Royal threat actors access victims’ networks, they first disable their antivirus software and then proceed to exfiltrate large amounts of data before deploying the ransomware and encrypting their systems.

Known as Zeon, the custom ransomware program has targeted U.S. and international organizations since September 2022.

Furthermore, Trend Micro disclosed in December 2022 that it is operated by seasoned threat actors who used to be part of Conti. These ransomware groups often use callback phishing attacks to deliver their ransomware to victims, a technique widely used by criminal groups that splintered from Conti last year.

Initial access can also be obtained via remote desktop protocol (RDP), exploitation of public-facing applications, or initial access brokers (IABs).

Several critical sectors, including communications, education, healthcare, and manufacturing, are targeted by Royal, with ransom demands ranging from $1 million to $11 million.

The Royal ransomware gang uses a unique intermittent encryption approach, allowing the threat actor to choose a specific percentage of a file to encrypt.

This approach enables the threat actor to lower the encryption percentage for bigger files, which helps evade detection. 


Multiple Qakbot command-and-control servers have been used in Royal ransomware intrusions, although it has yet to be determined if the malware relies exclusively on Qakbot infrastructure.

Cobalt Strike and PsExec are also used for lateral movement and shadow copy deletion to prevent system recovery. In addition, data aggregation and exfiltration are also carried out with Cobalt Strike.

Overall, Royal ransomware has been linked to 19 attacks in January 2023 alone, placing it behind LockBit, ALPHV, and Vice Society.

How Can Heimdal® Help?

As with most ransomware attacks, Heimdal provides its customers with an exceptional integrated cybersecurity suite, including Ransomware Encryption Protection, which is universally compatible with any antivirus solution and 100% signature-free, ensuring superior detection and remediation of all types of ransomware.

Feel free get a demo and take it for a spin.

You can also read our articles on preventing and mitigating ransomware attacks to learn more about ransomware defense.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics. 

Author Profile

Gabriella Antal

SMM & Corporate Communications Officer

linkedin icon

Gabriella is the Social Media Manager and Cybersecurity Communications Officer at Heimdal®, where she orchestrates the strategy and content creation for the company's social media channels. Her contributions amplify the brand's voice and foster a strong, engaging online community. Outside work, you can find her exploring the outdoors with her dog.

Leave a Reply

Your email address will not be published. Required fields are marked *