Royal Ransomware

Royal is a rapidly growing ransomware operation that is targeting large companies where its ransom demands range from $250,000 to more than $2 million.

According to active research on the Royal group, its participants are composed of experienced operatives from other ransomware groups.

For that reason, with the know-how the group has accumulated from former groups, Royal Ransomware does not operate on the Ransomware as a Service (RaaS) system. Royal is a private group that does not make up external affiliates.

When the group started its activities, the CEO of AdvIntel revealed that the Royal ransomware operatives used encryptors from other ransomware such as BlackCat.

A while later they switched to a proprietary encryptor called Zeon until they came up with the current Royal ransomware.

The group apparently uses the callback phishing method. This consists of posing as companies offering subscription services. Where they send an email pretending to be subscription renewals.

In that same email, there is a phone number to cancel the supposed subscription. The actors will be on the other end of the line and use social engineering to persuade victims to install remote access software.

Without realising it, the victim unknowingly hands over access to their corporate network to their attacker. It is noticeable with Royal ransomware that cybercriminals are being increasingly creative in their attacks.

Once in the environment, attackers collect credentials, spread laterally to reach as much data as possible, steal and encrypt all files.

After being encrypted, the file name is changed and gains the .royal extension to the original file name. One of the most sought after targets of the Royal group are virtual machine files (.vmdk).

The ransom note is then generated. A simple text file called README.txt, telling the victim about the attack and informing them of the means to recover their data which consists of paying the ransom demand.

However, that is not the only way to recover data. Instead of relying on criminals and funding future attacks, companies such as Digital Recovery are now positioning themselves as the best solution.

Recover files encrypted by Royal ransomware

Digital Recovery, with over 20 years in the data recovery market, has helped hundreds of ransomware victimized companies.

We have developed solutions that allow us to recover files encrypted by ransomware on almost any storage device, such as databases, servers, virtual machines, RAID systems and others.

Our solutions and projects are based on the General Data Protection Regulation (GDPR) and we provide our customers with a confidentiality agreement (NDA).

Most of the time we are able to act remotely. So wherever the incident occurs, Digital Recovery can help you.

Talk to us and get your data back quickly.

We are
always online

Please fill out the form, or select your preferred contact method. We will contact you to start recovering your files.

Latest insights from our experts

Ransomware AtomSilo

AtomSilo Ransomware

The AtomSilo ransomware emerged in September 2021, the group acts a little differently than other ransomware groups, the ransom amount is fixed, $1 million is

Khonsari Ransomware

Khonsari Ransomware

The Khonsari ransomware was the first group to exploit known Apache Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046), the group has focused its attacks on Windows servers that


Through unique technologies Digital Recovery can bring back encrypted data on any storage device, offering remote solutions anywhere in the world.