Royal Ransomware group started its malicious activities since January, with other ransomware payloads. They started their malicious career as affiliated with other Ransomware-as-a-Service providers. During the last two months, they started to apply the Double Extorsion model, with an ad-hoc website in the Dark Web.

The main payload of Royal Ransomware is Crypter.exe. The executable file is multi-thread based, polymorphic and comes with protection from debugging. We also know from our telemetry that this initial file is downloaded by the attackers directly to the victim via RDP or after exploiting a vulnerability in another application that allows remote code execution such as Oracle Weblogic or Apache Tomcat.

The malware is spread by cybercriminals known as “EvilSpam”, which has been active for several years and uses spam (mass mailing) to spread other malware such as: Scarab, Zeus, Andromeda and other Trojans.

This activity is carried out by the attackers to make money from victims.

The initial distribution of the ransomware is through email phishing campaigns. The email with a malicious attachment pulls up a file that fits perfectly within this campaign, with subject lines like “payment receipt” and “request for invoice”. In these campaign, they use an attachment called Invoice_A.pdf, which contains links to download files containing malware (.exe).

‍

Source: Reconstructing the last activities of Royal Ransomware - AlienVault - Open Threat Exchange