The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Royal Ransomware

Dec 1, 2022 1:22:05 PM / by PolySwarm Tech Team


Executive Summary

Microsoft recently reported on Royal ransomware, a ransomware family used by the threat actor DEV-0569

Key Takeaways

  • Royal ransomware is a 64-bit executable written in C++ that targets Windows systems.
  • Royal is used by multiple threat actors, including DEV-0569.
  • DEV-0569 is a financially motivated threat actor that uses malvertising, phishing, and malicious downloaders to spread malware.

What is Royal?

Royal ransomware is a ransomware family used by the threat actor group DEV-0569. Royal was first seen in the wild in early 2022 and is in use by multiple threat actor groups. It is a 64-bit executable written in C++ that targets Windows systems. Royal uses the OpenSSL library to encrypt files to AES standard. It appends the .royal extension to encrypted files. DEV-0569 delivers Royal using human-operated ransomware attacks. The threat actors gain access to compromised networks using BATLOADER to deliver a Cobalt Strike Beacon.

Who is DEV-0569?

At present, the identity and location of DEV-0569 threat actors have not been determined by industry researchers. We know they are a financially motivated threat actor group that likely serves as an initial access broker for other threat actors. DEV-0569 attacks typically begin with malicious ads, forum posts, blog comments, or phishing emails that deliver malicious links. The links lead to malicious files signed by the threat actor using legitimate certificates. DEV-0569 uses malvertising, phishing links, and malicious downloaders masquerading as installers or updates to spread malware. The group has also been observed using VHD files that impersonate legitimate software to facilitate the delivery of first-stage payloads.

Microsoft noted the group has begun using contact forms on a target organization’s websites to deliver phishing links, hosting fake installer files on sites that seem legitimate download sites, and expanding their malvertising technique by using Google Ads to blend in with regular ad traffic. These tactics give DEV-0569 the capability to reach more targets with the intended payloads. Dev-0569 is known to employ defensive evasion techniques and uses Nsudo to disable antivirus. The group typically uses the services of other malicious actors that deliver malware payloads as a service.


PolySwarm has multiple samples of Royal.



You can use the following CLI command to search for all Royal samples in our portal:

$ polyswarm link list -f Royal

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, Ransomware, Royal, DEV-0569

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts