Royal - S1073 (802a874d-7463-4f2a-99e3-6a1f5a919a21)

Royal is ransomware that first appeared in early 2022; a version that also targets ESXi servers was later observed in February 2023. Royal employs partial encryption and multiple threads to evade detection and speed encryption. Royal has been used in attacks against multiple industries worldwide--including critical infrastructure. Security researchers have identified similarities in the encryption routines and TTPs used in Royal and Conti attacks and noted a possible connection between their operators.(Citation: Microsoft Royal ransomware November 2022)(Citation: Cybereason Royal December 2022)(Citation: Kroll Royal Deep Dive February 2023)(Citation: Trend Micro Royal Linux ESXi February 2023)(Citation: CISA Royal AA23-061A March 2023)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Royal - S1073 (802a874d-7463-4f2a-99e3-6a1f5a919a21)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	1
Royal - S1073 (802a874d-7463-4f2a-99e3-6a1f5a919a21)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	1
Royal - S1073 (802a874d-7463-4f2a-99e3-6a1f5a919a21)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	1
Royal - S1073 (802a874d-7463-4f2a-99e3-6a1f5a919a21)	Malware	Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a)	Attack Pattern	1
Royal - S1073 (802a874d-7463-4f2a-99e3-6a1f5a919a21)	Malware	Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3)	Attack Pattern	1
Hypervisor CLI - T1059.012 (d2d642da-61ff-4211-b4df-7923c9ca220c)	Attack Pattern	Royal - S1073 (802a874d-7463-4f2a-99e3-6a1f5a919a21)	Malware	1
Royal - S1073 (802a874d-7463-4f2a-99e3-6a1f5a919a21)	Malware	Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	1
Royal - S1073 (802a874d-7463-4f2a-99e3-6a1f5a919a21)	Malware	SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	1
Royal - S1073 (802a874d-7463-4f2a-99e3-6a1f5a919a21)	Malware	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	1
Royal - S1073 (802a874d-7463-4f2a-99e3-6a1f5a919a21)	Malware	Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b)	Attack Pattern	1
Royal - S1073 (802a874d-7463-4f2a-99e3-6a1f5a919a21)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	1
Royal - S1073 (802a874d-7463-4f2a-99e3-6a1f5a919a21)	Malware	Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	1
Royal - S1073 (802a874d-7463-4f2a-99e3-6a1f5a919a21)	Malware	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	1
Royal - S1073 (802a874d-7463-4f2a-99e3-6a1f5a919a21)	Malware	Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0)	Attack Pattern	1
Royal - S1073 (802a874d-7463-4f2a-99e3-6a1f5a919a21)	Malware	Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	1
Hypervisor CLI - T1059.012 (d2d642da-61ff-4211-b4df-7923c9ca220c)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	2