The U.S. CISA and FBI warn of Royal ransomware operation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of the capabilities of the recently emerged Royal ransomware.

The human-operated Royal ransomware first appeared on the threat landscape in September 2022, it has demanded ransoms up to millions of dollars.

Unlike other ransomware operations, Royal doesn’t offer Ransomware-as-a-Service, it appears to be a private group without a network of affiliates.

Once compromised a victim’s network, threat actors deploy the post-exploitation tool Cobalt Strike to maintain persistence and perform lateral movements.

The Royal ransomware is written in C++, it infected Windows systems and deletes all Volume Shadow Copies to prevent data recovery. The ransomware encrypts the network shares, that are found on the local network and the local drives, with the AES algorithm

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) to provide organizations, tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with this ransomware family.

According to government experts, the Royal ransomware attacks targeted numerous critical infrastructure sectors including, manufacturing, communications, healthcare and public healthcare (HPH), and education.

“FBI and CISA believe this variant, which uses its own custom-made file encryption program, evolved from earlier iterations that used “Zeon” as a loader.” reads the alert. “After gaining access to victims’ networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems.”

Royal operators have demanded ransom ranging from approximately $1 million to $11 million USD worth of Bitcoin.

The Royal ransomware can either fully or partially encrypt a file depending on its size and the ‘-ep’
parameter. The malware changes the extension of the encrypted files to ‘.royal’.

Royal ransomware actors gain initial access to victim networks in multiple ways, in the majority of the attacks threat actors used phishing messages. The actors also gained access through Remote Desktop Protocol (RDP), by exploiting public-facing applications, and through initial access brokers.

The threat actors rely on legitimate Windows software to strengthen their foothold in the victim’s network, they often use open-source projects to carry out intrusion activities. The operators have recently been observed using the Chisel tunneling tool for C2 communication. FBI has observed multiple Qakbot C2s used in Royal ransomware attacks, but it is still unclear if Royal ransomware exclusively uses Qakbot C2s.

The threat actors often use RDP for lateral movements along with the Microsoft Sysinternals tool PsExec. FBI also observed Royal actors using remote monitoring and management (RMM) software, such as AnyDesk, LogMeIn, and Atera, to maintain persistence in the victim’s network.

“In some instances, the actors moved laterally to the domain controller. In one confirmed case, the actors used a legitimate admin account to remotely log on to the domain controller [T1078]. Once on the domain controller, the threat actor deactivated antivirus protocols [T1562.001] by modifying Group Policy Objects [T1484.001].” continues the alert.

In December 2022, the US Department of Health and Human Services (HHS) warned healthcare organizations of Royal ransomware attacks.

In February 2023, Royal operators added support for encrypting Linux devices and target VMware ESXi virtual machines.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)