Exposing the New Ways Royal Ransomware Gets Delivered | WhoisXML API

Threat Reports

Exposing the New Potential Ways Royal Ransomware Gets Delivered

A threat actor Microsoft dubbed “DEV-0569” found new ways to deploy Royal ransomware.1 One is right up our alley, as the tactic involved using typosquatting domains.

WhoisXML API researchers built on Microsoft’s report and conducted a three-part investigation, revealing:

  • 50+ domains connected to a Royal ransomware IoC through their WHOIS records
  • 3,000+ typosquatting domains targeting software typically impersonated by DEV-0569
  • Dozens of malicious artifacts, some of which had unredacted registrant email addresses also used to register 380+ other suspicious domains

Get access to our findings and uncover more on your own. Download the report now.

  • [1] https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/
Try our WhoisXML API for free
Get started