HC3 Analyst Note TLP Clear December 7, 2022 Royal Ransomware

Executive Summary

Royal is a human-operated ransomware that was first observed in 2022 and has increased in appearance. It has demanded ransoms up to millions of dollars. Since its appearance, HC3 is aware of attacks against the Healthcare and Public Healthcare (HPH) sector. Due to the historical nature of ransomware victimizing the healthcare community, Royal should be considered a threat to the HPH sector.


Royal ransomware was first observed in September 2022. Once infected, the requested demand for payment has been seen to range anywhere from $250,000 U.S. Dollars (USD) to over $2 million USD. Royal is an operation that appears to consist of experienced actors from other groups, as there have been observed elements from previous ransomware operations. While most of the known ransomware operators have performed Ransomware-as-a-Service, Royal appears to be a private group without any affiliates while maintaining financial motivation as their goal. The group does claim to steal data for double-extortion attacks, where they will also exfiltrate sensitive data.

Once a network has been compromised, they will perform activities commonly seen from other operations, including deploying Cobalt Strike for persistence, harvesting credentials, and moving laterally through a system until they ultimately encrypt the files. Originally, the ransomware operation used BlackCat’s encryptor, but eventually started using Zeon, which generated a ransomware note that was identified as being similar to Conti’s. The ransom notes appear in a README.TXT, which also contains a link to the victim’s private negotiation page. This note was later changed to Royal in September 2022.

For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:

John Riggi

National Advisor for Cybersecurity and Risk, AHA


(O) +1 202 626 2272