The human-operated Royal ransomware first appeared on the threat landscape in September 2022, it has demanded ransoms up to millions of dollars.
Unlike other ransomware operations, Royal doesn’t offer Ransomware-as-a-Service, it appears to be a private group without a network of affiliates.
Once compromised a victim’s network, threat actors deploy the post-exploitation tool Cobalt Strike to maintain persistence and perform lateral movements.
The Royal ransomware is written in C++, it infected Windows systems and deletes all Volume Shadow Copies to prevent data recovery. The ransomware encrypts the network shares, that are found on the local network and the local drives, with the AES algorithm
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) to provide organizations, tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with this ransomware family.
According to government experts, the Royal ransomware attacks targeted numerous critical infrastructure sectors including, manufacturing, communications, healthcare and public healthcare (HPH), and education.
“FBI and CISA believe this variant, which uses its own custom-made file encryption program, evolved from earlier iterations that used “Zeon” as a loader.” reads the alert. “After gaining access to victims’ networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems.”
Royal operators have demanded ransom ranging from approximately $1 million to $11 million USD worth of Bitcoin.
The Royal ransomware can either fully or partially encrypt a file depending on its size and the ‘-ep’
parameter. The malware changes the extension of the encrypted files to ‘.royal’.
Royal ransomware actors gain initial access to victim networks in multiple ways, in the majority of the attacks threat actors used phishing messages. The actors also gained access through Remote Desktop Protocol (RDP), by exploiting public-facing applications, and through initial access brokers.
The threat actors rely on legitimate Windows software to strengthen their foothold in the victim’s network, they often use open-source projects to carry out intrusion activities. The operators have recently been observed using the Chisel tunneling tool for C2 communication. FBI has observed multiple Qakbot C2s used in Royal ransomware attacks, but it is still unclear if Royal ransomware exclusively uses Qakbot C2s.
The threat actors often use RDP for lateral movements along with the Microsoft Sysinternals tool PsExec. FBI also observed Royal actors using remote monitoring and management (RMM) software, such as AnyDesk, LogMeIn, and Atera, to maintain persistence in the victim’s network.
“In some instances, the actors moved laterally to the domain controller. In one confirmed case, the actors used a legitimate admin account to remotely log on to the domain controller [T1078]. Once on the domain controller, the threat actor deactivated antivirus protocols [T1562.001] by modifying Group Policy Objects [T1484.001].” continues the alert.
In December 2022, the US Department of Health and Human Services (HHS) warned healthcare organizations of Royal ransomware attacks.
In February 2023, Royal operators added support for encrypting Linux devices and target VMware ESXi virtual machines.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ransomware)
Over 1,400 CrushFTP internet-facing servers are vulnerable to attacks exploiting recently disclosed CVE-2024-4040 vulnerability. Over…
A ransomware attack on a Swedish logistics company Skanlog severely impacted the country's liquor supply. …
CISA adds Cisco ASA and FTD and CrushFTP VFS vulnerabilities to its Known Exploited Vulnerabilities…
U.S. CISA added the Windows Print Spooler flaw CVE-2022-38028 to its Known Exploited Vulnerabilities catalog.…
The U.S. Department of Justice (DoJ) announced the arrest of two co-founders of a cryptocurrency mixer…
Google addressed a critical Chrome vulnerability, tracked as CVE-2024-4058, that resides in the ANGLE graphics…
This website uses cookies.