S1073: Royal
Royal is ransomware that first appeared in early 2022; a version that also targets ESXi servers was later observed in February 2023. Royal employs partial encryption and multiple threads to evade detection and speed encryption. Royal has been used in attacks against multiple industries worldwide--including critical infrastructure. Security researchers have identified similarities in the encryption routines and TTPs used in Royal and Conti attacks and noted a possible connection between their operators.[1][2][3][4][5]
Analyst context for executives and security teams
Royal is a ransomware family documented by ATT&CK for Windows and ESXi environments. Its business significance is not just endpoint encryption: the ESXi targeting means a successful incident can affect many virtualized workloads at once, while partial encryption and multi-threading can reduce the time defenders have to respond. For leaders, this object should trigger validation of ransomware readiness across endpoints, virtualization infrastructure, backups, identity paths, and incident decision-making.
Executive priority
Treat Royal as a resilience and recovery planning concern, especially where ESXi hosts support critical business services. Executives should ask whether the organization can detect discovery, SMB-based lateral movement, service stopping, recovery inhibition, and encryption behavior before widespread outage. Priority evidence should include tested restoration, protected recovery options, monitored hypervisor administration, and clear escalation criteria for suspected ransomware activity.
Technical view
ATT&CK does not provide an official detection section for Royal, so SOC and IR teams should build coverage from the related behaviors: phishing for initial access, discovery of systems/processes/files/shares/storage, SMB/Windows Admin Shares for lateral movement, Hypervisor CLI use on ESXi, non-application-layer communications, service stopping, recovery inhibition, and data encryption for impact. Detection should emphasize behavior chains across Windows and ESXi rather than one-off indicators, because administrative commands and share access can be legitimate in isolation.
Likely telemetry
- Windows endpoint process creation, file activity, service control, and security event logs
- SMB session, Windows Admin Share access, authentication, and lateral movement evidence
- Email security and identity-provider logs relevant to phishing-related access
- Network flow, port/service discovery, and unusual protocol telemetry where available
- ESXi host logs, hypervisor CLI activity, VM management events, and storage enumeration evidence
Detection direction
- Validate visibility into discovery behaviors: system/network configuration, process, file/directory, network share, service, and local storage enumeration.
- Tune detections for suspicious SMB/Admin Share usage in context of account, source host, destination scope, and timing; expect false positives from administrators, software deployment, and backup tooling.
- Monitor ESXi administrative activity, especially hypervisor CLI use and VM/storage operations, and baseline authorized management workflows.
- Correlate service stop, recovery inhibition, and rapid file-change/encryption behavior as an impact-stage sequence rather than relying only on malware signatures.
- Review phishing detection and identity telemetry as an upstream signal, but avoid assuming every Royal case begins with phishing unless local evidence supports it.
Mitigation priorities
- Prioritize tested, isolated, and recoverable backups for Windows and ESXi-supported workloads, including evidence that recovery mechanisms cannot be easily disabled by routine administrative accounts.
- Restrict and monitor privileged access to ESXi, Windows administration paths, and SMB/Admin Shares; enforce least privilege and separate routine user access from infrastructure administration.
- Harden and monitor hypervisor management interfaces and administrative CLI usage, with logging retained outside the host where feasible.
- Segment critical servers, virtualization management networks, and backup infrastructure to limit discovery and lateral movement paths.
- Maintain phishing-resistant user and identity controls where applicable, including monitoring for suspicious access following email-delivered threats.
Analyst notes and limits
Royal is described by ATT&CK as ransomware first seen in early 2022, with an ESXi-targeting version later observed in February 2023. ATT&CK notes use across multiple industries worldwide, including critical infrastructure, and cites researcher observations of similarities with Conti routines and TTPs; that should be treated as contextual similarity, not definitive attribution. The strongest defensive value comes from validating telemetry and controls around the related ATT&CK techniques rather than focusing only on the malware name.
The supplied ATT&CK object has no official detection text, no aliases, and no explicit tactics listed on the malware object itself. The guidance above is derived from the official description, platforms, external references, and listed technique relationships. Local asset criticality, ESXi architecture, identity model, logging depth, and backup design are required to determine actual exposure or detection coverage.
Royal
Royal is ransomware that first appeared in early 2022; a version that also targets ESXi servers was later observed in February 2023. Royal employs partial encryption and multiple threads to evade detection and speed encryption. Royal has been used in attacks against multiple industries worldwide--including critical infrastructure. Security researchers have identified similarities in the encryption routines and TTPs used in Royal and Conti attacks and noted a possible connection between their operators.[1][2][3][4][5]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1486 | Data Encrypted for Impact | Royal uses a multi-threaded encryption process that can partially encrypt targeted files with the OpenSSL library and the AES256 algorithm.CitationCybereason Royal December 2022CitationKroll Royal Deep Dive February 2023CitationTrend Micro Royal Linux ESXi February 2023 |
| Enterprise | T1489 | Service Stop | Royal can use `RmShutDown` to kill applications and services using the resources that are targeted for encryption.CitationCybereason Royal December 2022 |
| Enterprise | T1082 | System Information Discovery | Royal can use `GetNativeSystemInfo` to enumerate system processors.CitationCybereason Royal December 2022CitationTrend Micro Royal Linux ESXi February 2023 |
| Enterprise | T1059.012 | Hypervisor CLI Sub-technique | Royal ransomware uses `esxcli` to gather a list of running VMs and terminate them.CitationTrend Micro Royal Linux ESXi February 2023 |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | Royal can use SMB to connect to move laterally.CitationCybereason Royal December 2022 |
| Enterprise | T1046 | Network Service Discovery | Royal can scan the network interfaces of targeted systems.CitationCybereason Royal December 2022 |
| Enterprise | T1490 | Inhibit System Recovery | Royal can delete shadow copy backups with vssadmin.exe using the command `delete shadows /all /quiet`.CitationCybereason Royal December 2022CitationKroll Royal Deep Dive February 2023CitationCISA Royal AA23-061A March 2023 |
| Enterprise | T1135 | Network Share Discovery | Royal can enumerate the shared resources of a given IP addresses using the API call `NetShareEnum`.CitationCybereason Royal December 2022 |
| Enterprise | T1016 | System Network Configuration Discovery | Royal can enumerate IP addresses using `GetIpAddrTable`.CitationCybereason Royal December 2022 |
| Enterprise | T1106 | Native API | Royal can use multiple APIs for discovery, communication, and execution.CitationCybereason Royal December 2022 |
| Enterprise | T1095 | Non-Application Layer Protocol | Royal establishes a TCP socket for C2 communication using the API `WSASocketW`.CitationCybereason Royal December 2022 |
| Enterprise | T1680 | Local Storage Discovery | Royal can use `GetLogicalDrives` to enumerate logical drives.CitationCybereason Royal December 2022CitationTrend Micro Royal Linux ESXi February 2023 |
| Enterprise | T1566 | Phishing | Royal has been spread through the use of phishing campaigns including "call back phishing" where victims are lured into calling a number provided through email.CitationCybereason Royal December 2022CitationKroll Royal Deep Dive February 2023CitationCISA Royal AA23-061A March 2023 |
| Enterprise | T1057 | Process Discovery | Royal can use `GetCurrentProcess` to enumerate processes.CitationCybereason Royal December 2022 |
| Enterprise | T1083 | File and Directory Discovery | Royal can identify specific files and directories to exclude from the encryption process.CitationCybereason Royal December 2022CitationKroll Royal Deep Dive February 2023CitationTrend Micro Royal Linux ESXi February 2023 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 99158991b845… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft Royal ransomware November 2022
MSTIC. (2022, November 17). DEV-0569 finds new ways to deliver Royal ransomware, various payloads. Retrieved March 30, 2023.
Open source URL -
[2]
Cybereason Royal December 2022
Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023.
Open source URL -
[3]
Kroll Royal Deep Dive February 2023
Iacono, L. and Green, S. (2023, February 13). Royal Ransomware Deep Dive. Retrieved March 30, 2023.
Open source URL -
[4]
Trend Micro Royal Linux ESXi February 2023
Morales, N. et al. (2023, February 20). Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers. Retrieved March 30, 2023.
Open source URL -
[5]
CISA Royal AA23-061A March 2023
CISA. (2023, March 2). #StopRansomware: Royal Ransomware. Retrieved March 31, 2023.
Open source URL -
[6]
mitre-attack S1073Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.