A ransomware assault targeting a phone repair and insurance firm resulted in damages totaling millions.

The sudden emergence of Royal Ransomware in early 2023 marked a significant escalation in cyber threats targeting service providers across Europe. Attackers exploited unpatched VPN and remote-desktop gateways, initiating brute-force and credential-stuffing campaigns to breach perimeter defences. Once inside, the malware deployed a custom encryption engine that utilised AES-256 for file encryption and RSA-4096 to protect the symmetric keys, rendering communication, billing, and contract databases entirely inaccessible. Daily operations ground to a halt within hours, underscoring the devastating efficiency of modern ransomware. Within days of the incident, Wa.de analysts identified unusual lateral movement facilitated by stolen domain-admin credentials, allowing the threat actors to pivot across critical servers without detection. Shortly thereafter, Royal dropped a ransom note on every networked printer, warning that all systems were encrypted and that the decryption tool would only be delivered upon receipt of several dozen Bitcoin. Despite swift engagement with law enforcement and cybersecurity responders, the affected company faced protracted downtime and crippling operational losses.

Restoration efforts hinged on a negotiated Bitcoin payment in mid-2023. Even after the decryption keys were finally procured, rebuilding data pipelines and reconciling premium settlements required manual intervention for months. The company estimated total damages in the mid-seven-figure euro range, a figure compounded by the seizure of crypto assets by prosecutors during their ongoing investigation. Today, insolvency proceedings loom as the inability to recover those funds has derailed any meaningful restructuring. Royal initiates its attack by scanning for open RDP and VPN endpoints, deploying a lightweight Go-based loader that establishes a TLS-encrypted command-and-control channel. The loader subsequently injects a position-independent shellcode—encoded via XOR-and-rotations—into memory, bypassing disk-based antivirus solutions. This in-memory payload decrypts a secondary module that harvests Active Directory credentials using Windows API calls such as LsaRetrievePrivateData and NetUserGetInfo. After gaining elevated privileges, it disables Windows Recovery Service and renames Volume Shadow Copy Service executables to prevent rollback. Finally, it enumerates all logical drives and encrypts files matching specific extensions in parallel threads. By chaining these tactics, Royal achieves both speed and stealth, evading heuristic-based scanners.