Skip to content
Royal ransomware investigation: How to brace for the sharp increase

News -

Royal ransomware investigation: How to brace for the sharp increase

  • Logpoint research reveals what organizations should monitor for to safeguard against the rapid increase in royal ransomware attacks
  • The Royal ransomware group has leaked data of more than 60 victims since November 2022

COPENHAGEN, Denmark & BOSTON, January 11, 2022 – Royal ransomware entered the stage in 2022 and quickly became a nuisance for cyber analysts. Logpoint's research team has investigated the ransomware to uncover how analysts can detect and respond to the developing threat.

"Royal stands out as a ransomware provider because it doesn't have affiliates. The ransomware uses various tactics and techniques to reach its goal, like redirecting users using Google ads, sending phishing emails, and personal interactions based on callback phishing," says Doron Davidson, VP Logpoint Global Services. "Despite the many ways to gain initial access, the ransomware deploys in later stages, providing organizations with an opportunity to detect it before it wreaks havoc."

Logpoint's investigation revealed that Royal stops services and kills processes to set up a precondition for the ransomware to detonate. Adversaries use scheduled task functionality to facilitate single or repetitive execution of malicious codes, launching the ransomware. The malware enumerates shared resources on the network to encrypt the share folder and deletes volumes of shadow copy of the drives to prevent recovery from them.

To protect your organization against Royal ransomware, Logpoint recommends:

  • Monitoring the infrastructure for stopped services and killed processes
  • Monitoring for the creation of scheduled tasks and related events using the schtasks binary
  • Monitoring for access to multiple share folders in a short span from the same user and hosts

"It's important that organizations have the right cybersecurity resources in place.," says Doron Davidson. " Leveraging the technology advancements in cybersecurity can accelerate threat detection, investigation, and response. For example, automatic incident detection and response can improve cyber intelligence and reduce cyber risk. Investing in advance in Penetration Testing and similar cybersecurity services will reduce the need to pay for Royal’s Pentesting services."

Read Logpoint's blog post about Royal ransomware hereand get an in-depth vulnerability analysis, means to detect and respond to the threat, and insights about incident investigation and response.

Related links




Maimouna Corr Fonsbøl

Maimouna Corr Fonsbøl

Press contact Head of PR PR & Communications +45 25 66 82 98

Related content

About Logpoint

Headquartered in Copenhagen, Denmark, with offices across Europe, the USA, and Asia, Logpoint is a multinational, multicultural, inclusive cybersecurity company. LogPoint bolsters organizations in the fight against evolving threats by giving them a single source of truth — an intuitively designed platform with the powerful capabilities needed to ensure their safety. Powered by machine learning and backed by an industry-leading support team, Logpoint’s cybersecurity operations platform accelerates detection and response, allowing organizations to respond to tomorrow’s threats.

Logpoint’s core belief lies in creating software that empowers security teams to make confident decisions, feel justified in their choices, and more efficiently protect their organizations. That principle has earned them the trust of more than 1,000 organizations worldwide, as well as a place in Gartner’s Magic Quadrant.

The company’s culture prioritizes passion, innovation, team spirit, and client satisfaction. Together, these values fuel Logpoint’s success across cybersecurity technologies: from SIEM, UEBA, and SOAR to SAP security, converged into an integrated security operations platform, created to protect the digital heart of organizations.

Bryggervangen 55
2100 Copenhagen
Visit our other newsrooms