Deep Dive into Royal Ransomware

The rise of ransomware and malware variants has been a growing concern for individuals and organizations alike. With new strains of malicious software emerging every day, the threat landscape has become increasingly complex and dangerous. Let’s delve into the world of ransomware and explore how we can protect ourselves against this ever-evolving threat.


The Royal Ransomware was first observed in mid-2022. It is a type of ransomware that encrypts all volumes including network shared drives. The Royal Ransomware uses the“.Royal“, and “.Royal_w” extension on the encrypted files instead of some randomly generated extensions like other ransomware use. The group behind Royal Ransomware operates independently. The group drops the ransom note with the name README.TXT which contains the unique “tor” link for further communication with the attacker. This ransomware is distributed through torrent sites, malicious attachments, and more. This ransomware uses the AES algorithm with the key and IV encryptions using the RSA. The encryption of the file is decided on the basis of the “-ep” parameter.

Timeline of Ransomware 

Timeline of Royal Ransomware

Technical Analysis: 

On initial execution, the Royal ransomware takes the command line arguments; Path, id, and ep, where the id is a 32-bit array, and ep is the encryption percentage.

Calling cmd with arguments

Deletion of Shadow Copies: 

Volume shadow copies are deleted to prevent system restoration. 

vssadmin.exe Delete Shadows /All /Quiet 

Deletion of shadow copy

Before the encryption process, it creates a list for the exclusion of extensions and directories which are further used by threads at the time of encryption. In the new variant. Royal_w and .Royal_u are added in the excluded extensions.

List of directories and extensions to be excluded from the encryption process.


List of extensions excluded








List of directories excluded –







tor browser







File Encryption: 

The ransomware uses the GetNativeSystemInfo API to retrieve the number of processors in a machine, then it multiplies the result by two and creates a number of threads.
These threads are responsible for the file encryption process.

Thread creation

With the help of Restart Manager, it checks if there are any files that are being used by the other processes.

Royal ransomware uses the RmGetList APIs to verify which process is using the resources, and then, it compares it with explorer.exe. If the process is not explorer.exe, it calls the RmShutDown API to kill those processes.

Process kill through  RmShutDown API 

Royal Ransomware uses the RSA public key for encrypting AES key and IV. And the RSA Public key is embedded in the executable.


RSA Public Key

It enumerates the Drives with the API call GetLogicalDrives and adds the README.TXT in each drive, as illustrated in the following images.

Enumeration of Logical Drives

Readme file is created at A:\\

To compare the Directories and the Extension for the exclusion, it uses the API strstrIW. In the figure below the excluded directory and extensions are compared with the current directory and file respectively.


Comparing directory and extension to the Excluded list

After the encryption through the AES algorithm, it uses the MoveFileExW API to append the extension “.royal”.

Adding the “.royal extension

The encryption is based on two parameters, i.e. file size and the value of ep. If ep is not provided, it encrypts based on the files size parameter, as per the following:- 

  • If the file size is smaller than or equal to 5MB, the entire file will be encrypted. 
  • If the file size is larger than 5MB, only partial (50%) encryption is done. 

After the encryption of the file, it writes the size of the file followed by the encryption percentage in hex at the end of the files. We can see this in the following encrypted file, as an example: – 

Encrypted file 1

Encrypted file 2

After encryption, it uses the “.royal ” extension.

Encrypted files by the “.royal” extension

Encrypted files by the “.royal_w” extension


Ransom Note

Royal Ransomware drops the “README” file in every encrypted directory. It uses the tor link for further communication purposes.

How do we prevent such kinds of attacks?  

  • Do not download and open any attachments from unknown sources.  
  • Avoid clicking on any unverified links. The main cause of ransomware attacks happens due to clicking on untrusted links and attachments.  
  • Keep your software and antivirus updated.  
  • Back up your data so that it can be recovered in case of a ransomware attack. 

Quick Heal Protection: 

  • Ransom.Royal.S29629175

  • Ransom.Royal.S28994725


The Royal Ransomware encrypts files with “.royal” while some other variants use the extensions “.royal_w” and “royal_u.” It has the unique feature of encryption through ep mode, which allows Royal Ransomware to modify the encryption percentage based on the file size.

As Royal ransomware uses a similar encryption technique to Conti, we suspect that the Conti group might be involved in this.


Command and Scripting Interpreter


Inhibit System Recovery


File and Directory Discovery


System Information Discovery


Data Encrypted for Impact


Service Stop













Soumen Burma 

Vaibhav Billade

Vaibhav Billade

Follow @vaIbhavb_8

The post “Deep Dive into Royal Ransomware” appeared first on Quick Heal Antivirus Blog

Source:Quick Heal Antivirus Blog – Vaibhav Billade