top of page
  • Admin

Royal Ransomware Variant In The Wild

Published: April 23, 2023 on our newsletter Security Fraud News & Alerts Newsletter.

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) recently issued a Cybersecurity Advisory (CSA) regarding an active ransomware threat posed by cybercriminals using the latest release of a new Royal ransomware variant. They initially detected it in September 2022.

The new ransomware variant has affected a number of critical infrastructural sectors so far, including education providers, the healthcare sector (both public and private), the communications sector, and companies operating in the manufacturing industry. The strategy is that the cybercriminals first disable network security at the targeted organization. Then they proceed to quietly seize large amounts of data from the network. The next step in the process is when the victims of the ransomware attack are faced with demands that range from $1 million to $11 million in Bitcoin for their networks to be de-encrypted.

In what is becoming a signature approach the cybercriminals do not initially provide a ransom amount nor details about how the payment is to be made. However, in a departure from the typical ransom note appearing on screen, the victim is instructed to interact directly with the criminals via an ‘.onion’ URL which can only be reached via the Tor browser.

Those who work in the affected industries should be even more vigilant when replying to emails or clicking links received in email or texts. Research indicates that in 66.7% of cases, cybercriminals using this latest variant of the Royal malware are employing phishing techniques to gain access to networks.

Mitigation tips for IT from CISA:

  • Prioritize remediating known exploited vulnerabilities.

  • Train users to recognize and report phishing attempts.

  • Enable and enforce multifactor authentication.

Tips to detect phishing:

  • Unexpected attachments or links

  • Typos, misspelled words, and incorrect grammar

  • Blurry text and graphics

  • Unknown senders

  • A sense of urgency to the message

Should users accidentally find themselves face-to-face with this attack, they should contact management and/or someone in your IT department to find out how to proceed. Do not directly interact with the attackers.

Keep up to date: Sign up for our Fraud alerts and Updates newsletter

Want to schedule a conversation? Please email us at

bottom of page