Also known as: Royal ransomware, RoyalCrypt
Variants: A variant of Win64/Filecoder.Royal.A, W64/Royal.CF4E!tr.ransom, Gen:Variant.Ransom.Royal.13 (B), Win/malicious_confidence_100% (W)
Royal is a Ransomware-as-a-service (Raas) that first appeared in September 2022. Since then, it has frequently targeted critical infrastructure, such as healthcare, education, and manufacturing. Once on a system, Royal disables antivirus software, locks up the user’s files, and demands a payment in cryptocurrency to give back access to those files.
The most common symptom of a Royal attack is a ransom note or instructions appearing on the desktop or inside the infected folders. Other indicators of Royal ransomware include:
Unusual file extensions (such as .royal).
Sluggish system performance.
Unauthorized network activities or increased network traffic.
Sources of the infection
This ransomware mostly makes its way to systems through phishing emails with malicious attachments or links. Other possible sources of infection are:
Software downloads or fake software updates with Royal in the setup.
Malicious ads or drive-by downloads (unintentional downloads triggered by clicking on a link, pop-up etc.) from compromised websites.
Keep your operating system and all software updated.
Install a reputable antivirus or antimalware solution, ensuring it is always up to date.
Use NordVPN’s Threat Protection to avoid malicious ads and scan downloads for malware.
Be skeptical of email attachments, especially from unknown senders.
Regularly back up important data to an external drive or a secure cloud storage.
Enable multi-factor authentication for online services.
Use network segmentation to minimize the spread of malware within the network.