{"id":76038,"date":"2023-01-22T09:00:43","date_gmt":"2023-01-22T17:00:43","guid":{"rendered":"https:\/\/forescoutstage.wpengine.com\/?p=76038"},"modified":"2023-01-24T06:09:24","modified_gmt":"2023-01-24T14:09:24","slug":"royal-ransomware-analysis-of-one-of-the-most-active-ransomware-groups","status":"publish","type":"post","link":"https:\/\/www.forescout.com\/blog\/royal-ransomware-analysis-of-one-of-the-most-active-ransomware-groups\/","title":{"rendered":"Royal Ransomware \u2013 Analysis of One of the Most Active Ransomware Groups in Late 2022 and Early 2023"},"content":{"rendered":"<p>In our new <a href=\"\/resources\/royal-ransomeware-report\/\">threat briefing report<\/a>, Forescout\u2019s Vedere Labs analyzes the Royal ransomware threat actor group and encryptor payload, presents threat hunt opportunities for network defenders and shares details of the group\u2019s tactics, techniques, and procedures (TTPs).<\/p>\n<h2>Who is Royal ransomware?<\/h2>\n<p>The Royal ransomware threat actor group, initially tracked as DEV-0569, first emerged in early 2022 and has been especially active since the end of the same year. Royal ransomware was first observed by security researchers in September 2022 and since then multiple attacks were detected, targeting organizations across the globe, but mostly in the U.S., Brazil and Europe. It was among the <a href=\"https:\/\/darkfeed.io\/\" target=\"new\" rel=\"noopener\">most active ransomware groups<\/a> in December 2022 and has already announced its first victim of 2023: DSBJ, a Chinese company that manufactures components for Internet of Things (IoT) and telecommunications equipment.<\/p>\n<p>Security researchers have <a href=\"https:\/\/twitter.com\/VK_Intel\/status\/1557003350541242369\" target=\"new\" rel=\"noopener\">noticed<\/a> that the group was probably created by one of the former Conti teams (\u201cConti Team One\u201d) and used the Zeon encryptor in some attacks.<\/p>\n<h2>Royal ransomware tactics, techniques and procedures<\/h2>\n<p>The group employs the double extortion tactic by gaining access to a victim\u2019s environment, encrypting their data, exfiltrating sensitive data and demanding a ransom to decrypt files. The files are encrypted using the Advanced Encryption Standard (AES) and given the extension <strong>.royal<\/strong>. In recent attacks, the encrypted files also had the extension <strong>.royal_*<\/strong>.<\/p>\n<p>The initial attack vectors are specifically designed and tailored for individual targets. They include:<\/p>\n<ul>\n<li><strong>Initial infection techniques<\/strong> such as <a href=\"https:\/\/therecord.media\/microsoft-royal-ransomware-group-using-google-ads-in-campaign\/\" target=\"new\" rel=\"noopener\">malicious advertisements<\/a>, phishing links that point to a malware payload, fake software installers and fake forum pages to lure potential victims.<\/li>\n<li><strong>Callback phishing, <\/strong>which entails impersonating various service providers and software providers in emails that look like subscription renewals. The phishing emails contain phone numbers that the victim should contact to cancel their subscription. Upon calling the number, the threat actors convince the victim to install remote access software, which serves as initial access to the target network.<\/li>\n<\/ul>\n<p>In a recent campaign, Royal ransomware actors used a compiled remote desktop malware to drop the tools that were later used to infiltrate the victim\u2019s system. In some instances, they used <a href=\"https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.qakbot\" target=\"new\" rel=\"noopener\">QakBot<\/a> and <a href=\"https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.cobalt_strike\" target=\"new\" rel=\"noopener\">Cobalt Strike<\/a> for lateral movement and NetScan to look for any network-connected systems. Once they infiltrated the system, the threat actors used tools like Nsudo, PowerTool and Process Hacker to disable any security-related services running in the system. They used PsExec to execute the malware and spread it to other machines in the network. The group also relies heavily on defense evasion techniques such as using encrypted binaries and disabling antivirus solutions.<\/p>\n<p>The table below summarizes the TTPs commonly used by Royal ransomware.<\/p>\n<div class=\"c-responsive-table td-min-width-0 padding-slim th-no-wrap\">\n<table>\n<tbody>\n<tr>\n<th><b>Tactic<\/b><\/th>\n<th><b>Technique<\/b><\/th>\n<\/tr>\n<tr>\n<td colspan=\"1\" rowspan=\"2\"><a href=\"https:\/\/attack.mitre.org\/tactics\/TA0001\/\" target=\"new\" rel=\"noopener\">Initial Access<\/a><\/td>\n<td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1566\/\" target=\"new\" rel=\"noopener\">T1566: Phishing<\/a><\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1078\/\" target=\"new\" rel=\"noopener\">T1078: Valid Accounts<\/a><\/td>\n<\/tr>\n<tr>\n<td colspan=\"1\" rowspan=\"6\"><a href=\"https:\/\/attack.mitre.org\/tactics\/TA0005\" target=\"new\" rel=\"noopener\">Discovery<\/a><\/td>\n<td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1083\/\" target=\"new\" rel=\"noopener\">T1083: File and Directory Discovery<\/a><\/td>\n<\/tr>\n<tr aria-rowindex=\"5\">\n<td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1016\/\" target=\"new\" rel=\"noopener\">T1016: System Network Configuration Discovery<\/a><\/td>\n<\/tr>\n<tr aria-rowindex=\"6\">\n<td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1046\/\" target=\"new\" rel=\"noopener\">T1046: Network Service Discovery<\/a><\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1057\/\" target=\"new\" rel=\"noopener\">T1057: Process Discovery<\/a><\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1082\/\" target=\"new\" rel=\"noopener\">T1082: System Information Discovery<\/a><\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/software\/S0575\/\" target=\"new\" rel=\"noopener\">T1135: Network Share Discovery<\/a><\/td>\n<\/tr>\n<tr>\n<td colspan=\"1\" rowspan=\"3\"><a href=\"https:\/\/attack.mitre.org\/tactics\/TA0002\/\" target=\"new\" rel=\"noopener\">Execution<\/a><\/td>\n<td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1059\/\" target=\"new\" rel=\"noopener\">T1059: Command and Scripting Interpreter<\/a><\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1569\/\" target=\"new\" rel=\"noopener\">T1569: System Services<\/a><\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1204\/\" target=\"new\" rel=\"noopener\">T1204: User Execution<\/a><\/td>\n<\/tr>\n<tr>\n<td colspan=\"1\" rowspan=\"2\"><a href=\"https:\/\/attack.mitre.org\/tactics\/TA0005\/\" target=\"new\" rel=\"noopener\">Defense Evasion<\/a><\/td>\n<td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1562\/\" target=\"new\" rel=\"noopener\">T1562: Impair Defenses<\/a><\/td>\n<\/tr>\n<tr>\n<td data-celllook=\"0\"><a href=\"https:\/\/attack.mitre.org\/techniques\/T1036\/\" target=\"new\" rel=\"noopener\">T1036: Masquerading<\/a><\/td>\n<\/tr>\n<tr>\n<td colspan=\"1\" rowspan=\"3\"><a href=\"https:\/\/attack.mitre.org\/tactics\/TA0040\" target=\"new\" rel=\"noopener\">Impact<\/a><\/td>\n<td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1486\/\" target=\"new\" rel=\"noopener\">T1486: Data Encrypted for Impact<\/a><\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1489\/\" target=\"new\" rel=\"noopener\">T1489: Service Stop<\/a><\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1490\/\" target=\"new\" rel=\"noopener\"><span data-contrast=\"none\">T1490: Inhibit System Recovery<\/span><\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<h2>Royal ransomware mitigation and threat hunting opportunities<\/h2>\n<p>Common ransomware mitigation recommendations apply to Royal ransomware. They include identifying and patching vulnerable devices in the network, segmenting the network to avoid spreading the infection and monitoring network traffic to detect signs of intrusion, lateral movement and payload execution. These recommendations are detailed on CISA\u2019s Stop Ransomware project page, especially \u00a0their <a href=\"https:\/\/www.cisa.gov\/stopransomware\/ransomware-guide\" target=\"new\" rel=\"noopener\">ransomware guide<\/a>.<\/p>\n<p>Additionally, since the group relies heavily on phishing for initial access, individuals should pay special attention to potentially malicious e-mails, advertisements and websites. CISA\u2019s recently released <a href=\"https:\/\/www.cisa.gov\/uscert\/ncas\/current-activity\/2022\/12\/08\/cisa-releases-phishing-infographic\" target=\"new\" rel=\"noopener\">Phishing Infographic<\/a> is a useful resource for defenders, aligned to their cross-sector cybersecurity performance goals (CPGs).<\/p>\n<p>Finally, hunting for the presence of the threat actor and payload on the network can help stop an ongoing incident before its full impact. The following threat hunting opportunities are based on the detailed analysis provided in our <a href=\"\/resources\/royal-ransomeware-report\/\">full technical report<\/a>:<\/p>\n<ul>\n<li><strong>PsExec Service Installation: <\/strong><span style=\"font-family: Consolas, Monaco, monospace;\">event_id = 7045 OR 7036 &amp;&amp; service_name contains \u201cpsexesvc\u201d<\/span><\/li>\n<li><strong>PsExec Remote Command Execution: <\/strong><span style=\"font-family: Consolas, Monaco, monospace;\">process _process_name = psexesvc.exe &amp;&amp; process _name = cmd.exe<\/span><\/li>\n<li><strong>Shadow Copy Deletion: <\/strong><span style=\"font-family: Consolas, Monaco, monospace;\">process _name = vssadmin.exe &amp;&amp; Commadline contains \u201cdelete*shadows\u201d<\/span><\/li>\n<li><strong>Local Admin Account Created Using Net.exe:\u00a0<\/strong><span style=\"font-family: Consolas, Monaco, monospace;\">process_name = net.exe OR net1.exe &amp;&amp; Commadline contains \u201c* administr* \/add*\u201d<\/span><\/li>\n<\/ul>\n<p><em><strong>Tap the Forescout Frontline cyber experts for threat hunting, risk identification and incident response related to Royal ransomware.<\/strong><\/em><br \/>\n<a href=\"\/products\/threat-hunting\/\"  title=\"Learn More\" class=\"c-btn c-btn--primary icon-position-right\"><span class=\"cta-button-text\">Learn More<\/span><\/a>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In our new threat briefing report, Forescout\u2019s Vedere Labs analyzes the Royal ransomware threat actor group and encryptor payload, presents threat hunt opportunities for network defenders and shares details of the group\u2019s tactics, techniques, and procedures (TTPs). Who is Royal ransomware? The Royal ransomware threat actor group, initially tracked as DEV-0569, first emerged in early [&hellip;]<\/p>\n","protected":false},"author":124,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"ep_exclude_from_search":false,"footnotes":"","_links_to":"","_links_to_target":""},"categories":[562],"tags":[],"coauthors":[542],"class_list":["post-76038","post","type-post","status-publish","format-standard","hentry","category-news-and-views"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.8 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Royal ransomware \u2013 among the most active threat actors entering 2023 - Forescout<\/title>\n<meta name=\"description\" content=\"The Royal ransomware group has been very active entering 2023. Learn their TTPs including double extortion, plus effective threat hunting and mitigation steps.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.forescout.com\/blog\/royal-ransomware-analysis-of-one-of-the-most-active-ransomware-groups\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Royal ransomware \u2013 among the most active threat actors entering 2023 - Forescout\" \/>\n<meta property=\"og:description\" content=\"The Royal ransomware group has been very active entering 2023. Learn their TTPs including double extortion, plus effective threat hunting and mitigation steps.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.forescout.com\/blog\/royal-ransomware-analysis-of-one-of-the-most-active-ransomware-groups\/\" \/>\n<meta property=\"og:site_name\" content=\"Forescout\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ForescoutTechnologies\" \/>\n<meta property=\"article:published_time\" content=\"2023-01-22T17:00:43+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-01-24T14:09:24+00:00\" \/>\n<meta name=\"author\" content=\"Forescout Research - Vedere Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@Forescout\" \/>\n<meta name=\"twitter:site\" content=\"@Forescout\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.forescout.com\/blog\/royal-ransomware-analysis-of-one-of-the-most-active-ransomware-groups\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/royal-ransomware-analysis-of-one-of-the-most-active-ransomware-groups\/\"},\"author\":{\"name\":\"Forescout Research - Vedere Labs\",\"@id\":\"https:\/\/www.forescout.com\/#\/schema\/person\/038ef2eda17d37f87d9978fa703ee984\"},\"headline\":\"Royal Ransomware \u2013 Analysis of One of the Most Active Ransomware Groups in Late 2022 and Early 2023\",\"datePublished\":\"2023-01-22T17:00:43+00:00\",\"dateModified\":\"2023-01-24T14:09:24+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/royal-ransomware-analysis-of-one-of-the-most-active-ransomware-groups\/\"},\"wordCount\":752,\"publisher\":{\"@id\":\"https:\/\/www.forescout.com\/#organization\"},\"articleSection\":[\"News &amp; Views\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.forescout.com\/blog\/royal-ransomware-analysis-of-one-of-the-most-active-ransomware-groups\/\",\"url\":\"https:\/\/www.forescout.com\/blog\/royal-ransomware-analysis-of-one-of-the-most-active-ransomware-groups\/\",\"name\":\"Royal ransomware \u2013 among the most active threat actors entering 2023 - Forescout\",\"isPartOf\":{\"@id\":\"https:\/\/www.forescout.com\/#website\"},\"datePublished\":\"2023-01-22T17:00:43+00:00\",\"dateModified\":\"2023-01-24T14:09:24+00:00\",\"description\":\"The Royal ransomware group has been very active entering 2023. Learn their TTPs including double extortion, plus effective threat hunting and mitigation steps.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/royal-ransomware-analysis-of-one-of-the-most-active-ransomware-groups\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.forescout.com\/blog\/royal-ransomware-analysis-of-one-of-the-most-active-ransomware-groups\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.forescout.com\/blog\/royal-ransomware-analysis-of-one-of-the-most-active-ransomware-groups\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.forescout.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Royal Ransomware \u2013 Analysis of One of the Most Active Ransomware Groups in Late 2022 and Early 2023\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.forescout.com\/#website\",\"url\":\"https:\/\/www.forescout.com\/\",\"name\":\"Forescout\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.forescout.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.forescout.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.forescout.com\/#organization\",\"name\":\"Forescout Technologies, Inc.\",\"url\":\"https:\/\/www.forescout.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.forescout.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.forescout.com\/wp-content\/uploads\/2019\/01\/forescout-logo.svg\",\"contentUrl\":\"https:\/\/www.forescout.com\/wp-content\/uploads\/2019\/01\/forescout-logo.svg\",\"width\":1,\"height\":1,\"caption\":\"Forescout Technologies, Inc.\"},\"image\":{\"@id\":\"https:\/\/www.forescout.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/ForescoutTechnologies\",\"https:\/\/x.com\/Forescout\",\"https:\/\/www.instagram.com\/forescouttechnologies\/\",\"https:\/\/www.linkedin.com\/company\/forescout-technologies\",\"https:\/\/www.youtube.com\/user\/forescout1\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.forescout.com\/#\/schema\/person\/038ef2eda17d37f87d9978fa703ee984\",\"name\":\"Forescout Research - Vedere Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.forescout.com\/#\/schema\/person\/image\/b4c8db5600adef8fa1a89cc86e15c781\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/6f43608a91eb86cde1564e21650235d0ed570d1ae0fbd371a265636ed603e70d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/6f43608a91eb86cde1564e21650235d0ed570d1ae0fbd371a265636ed603e70d?s=96&d=mm&r=g\",\"caption\":\"Forescout Research - Vedere Labs\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Royal ransomware \u2013 among the most active threat actors entering 2023 - Forescout","description":"The Royal ransomware group has been very active entering 2023. Learn their TTPs including double extortion, plus effective threat hunting and mitigation steps.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.forescout.com\/blog\/royal-ransomware-analysis-of-one-of-the-most-active-ransomware-groups\/","og_locale":"en_US","og_type":"article","og_title":"Royal ransomware \u2013 among the most active threat actors entering 2023 - Forescout","og_description":"The Royal ransomware group has been very active entering 2023. Learn their TTPs including double extortion, plus effective threat hunting and mitigation steps.","og_url":"https:\/\/www.forescout.com\/blog\/royal-ransomware-analysis-of-one-of-the-most-active-ransomware-groups\/","og_site_name":"Forescout","article_publisher":"https:\/\/www.facebook.com\/ForescoutTechnologies","article_published_time":"2023-01-22T17:00:43+00:00","article_modified_time":"2023-01-24T14:09:24+00:00","author":"Forescout Research - Vedere Labs","twitter_card":"summary_large_image","twitter_creator":"@Forescout","twitter_site":"@Forescout","twitter_misc":{"Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.forescout.com\/blog\/royal-ransomware-analysis-of-one-of-the-most-active-ransomware-groups\/#article","isPartOf":{"@id":"https:\/\/www.forescout.com\/blog\/royal-ransomware-analysis-of-one-of-the-most-active-ransomware-groups\/"},"author":{"name":"Forescout Research - Vedere Labs","@id":"https:\/\/www.forescout.com\/#\/schema\/person\/038ef2eda17d37f87d9978fa703ee984"},"headline":"Royal Ransomware \u2013 Analysis of One of the Most Active Ransomware Groups in Late 2022 and Early 2023","datePublished":"2023-01-22T17:00:43+00:00","dateModified":"2023-01-24T14:09:24+00:00","mainEntityOfPage":{"@id":"https:\/\/www.forescout.com\/blog\/royal-ransomware-analysis-of-one-of-the-most-active-ransomware-groups\/"},"wordCount":752,"publisher":{"@id":"https:\/\/www.forescout.com\/#organization"},"articleSection":["News &amp; Views"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.forescout.com\/blog\/royal-ransomware-analysis-of-one-of-the-most-active-ransomware-groups\/","url":"https:\/\/www.forescout.com\/blog\/royal-ransomware-analysis-of-one-of-the-most-active-ransomware-groups\/","name":"Royal ransomware \u2013 among the most active threat actors entering 2023 - Forescout","isPartOf":{"@id":"https:\/\/www.forescout.com\/#website"},"datePublished":"2023-01-22T17:00:43+00:00","dateModified":"2023-01-24T14:09:24+00:00","description":"The Royal ransomware group has been very active entering 2023. Learn their TTPs including double extortion, plus effective threat hunting and mitigation steps.","breadcrumb":{"@id":"https:\/\/www.forescout.com\/blog\/royal-ransomware-analysis-of-one-of-the-most-active-ransomware-groups\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.forescout.com\/blog\/royal-ransomware-analysis-of-one-of-the-most-active-ransomware-groups\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.forescout.com\/blog\/royal-ransomware-analysis-of-one-of-the-most-active-ransomware-groups\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.forescout.com\/"},{"@type":"ListItem","position":2,"name":"Royal Ransomware \u2013 Analysis of One of the Most Active Ransomware Groups in Late 2022 and Early 2023"}]},{"@type":"WebSite","@id":"https:\/\/www.forescout.com\/#website","url":"https:\/\/www.forescout.com\/","name":"Forescout","description":"","publisher":{"@id":"https:\/\/www.forescout.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.forescout.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.forescout.com\/#organization","name":"Forescout Technologies, Inc.","url":"https:\/\/www.forescout.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.forescout.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.forescout.com\/wp-content\/uploads\/2019\/01\/forescout-logo.svg","contentUrl":"https:\/\/www.forescout.com\/wp-content\/uploads\/2019\/01\/forescout-logo.svg","width":1,"height":1,"caption":"Forescout Technologies, Inc."},"image":{"@id":"https:\/\/www.forescout.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/ForescoutTechnologies","https:\/\/x.com\/Forescout","https:\/\/www.instagram.com\/forescouttechnologies\/","https:\/\/www.linkedin.com\/company\/forescout-technologies","https:\/\/www.youtube.com\/user\/forescout1"]},{"@type":"Person","@id":"https:\/\/www.forescout.com\/#\/schema\/person\/038ef2eda17d37f87d9978fa703ee984","name":"Forescout Research - Vedere Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.forescout.com\/#\/schema\/person\/image\/b4c8db5600adef8fa1a89cc86e15c781","url":"https:\/\/secure.gravatar.com\/avatar\/6f43608a91eb86cde1564e21650235d0ed570d1ae0fbd371a265636ed603e70d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6f43608a91eb86cde1564e21650235d0ed570d1ae0fbd371a265636ed603e70d?s=96&d=mm&r=g","caption":"Forescout Research - Vedere Labs"}}]}},"featured_media_url":false,"is_file":false,"excerpt_manually_set":false,"_links":{"self":[{"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/posts\/76038","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/users\/124"}],"replies":[{"embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/comments?post=76038"}],"version-history":[{"count":0,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/posts\/76038\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/media?parent=76038"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/categories?post=76038"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/tags?post=76038"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/coauthors?post=76038"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}