Malware

The U.S. CISA and FBI warn of Royal ransomware operation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of the capabilities of the recently emerged Royal ransomware.

The human-operated Royal ransomware first appeared on the threat landscape in September 2022, it has demanded ransoms up to millions of dollars.

Unlike other ransomware operations, Royal doesn’t offer Ransomware-as-a-Service, it appears to be a private group without a network of affiliates.

Once compromised a victim’s network, threat actors deploy the post-exploitation tool Cobalt Strike to maintain persistence and perform lateral movements.

The Royal ransomware is written in C++, it infected Windows systems and deletes all Volume Shadow Copies to prevent data recovery. The ransomware encrypts the network shares, that are found on the local network and the local drives, with the AES algorithm

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) to provide organizations, tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with this ransomware family.

According to government experts, the Royal ransomware attacks targeted numerous critical infrastructure sectors including, manufacturing, communications, healthcare and public healthcare (HPH), and education.

“FBI and CISA believe this variant, which uses its own custom-made file encryption program, evolved from earlier iterations that used “Zeon” as a loader.” reads the alert. “After gaining access to victims’ networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems.”

Royal operators have demanded ransom ranging from approximately $1 million to $11 million USD worth of Bitcoin.

The Royal ransomware can either fully or partially encrypt a file depending on its size and the ‘-ep’
parameter. The malware changes the extension of the encrypted files to ‘.royal’.

Royal ransomware actors gain initial access to victim networks in multiple ways, in the majority of the attacks threat actors used phishing messages. The actors also gained access through Remote Desktop Protocol (RDP), by exploiting public-facing applications, and through initial access brokers.

The threat actors rely on legitimate Windows software to strengthen their foothold in the victim’s network, they often use open-source projects to carry out intrusion activities. The operators have recently been observed using the Chisel tunneling tool for C2 communication. FBI has observed multiple Qakbot C2s used in Royal ransomware attacks, but it is still unclear if Royal ransomware exclusively uses Qakbot C2s.

The threat actors often use RDP for lateral movements along with the Microsoft Sysinternals tool PsExec. FBI also observed Royal actors using remote monitoring and management (RMM) software, such as AnyDesk, LogMeIn, and Atera, to maintain persistence in the victim’s network.

“In some instances, the actors moved laterally to the domain controller. In one confirmed case, the actors used a legitimate admin account to remotely log on to the domain controller [T1078]. Once on the domain controller, the threat actor deactivated antivirus protocols [T1562.001] by modifying Group Policy Objects [T1484.001].” continues the alert.

In December 2022, the US Department of Health and Human Services (HHS) warned healthcare organizations of Royal ransomware attacks.

In February 2023, Royal operators added support for encrypting Linux devices and target VMware ESXi virtual machines.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Earth Krahang APT breached tens of government organizations worldwide

Trend Micro uncovered a sophisticated campaign conducted by Earth Krahang APT group that breached 70…

23 mins ago

PoC exploit for critical RCE flaw in Fortra FileCatalyst transfer tool released

Fortra addressed a critical remote code execution vulnerability impacting its FileCatalyst file transfer product. Fortra has released…

12 hours ago

Fujitsu suffered a malware attack and probably a data breach

Technology giant Fujitsu announced it had suffered a cyberattack that may have resulted in the…

14 hours ago

Remove WordPress miniOrange plugins, a critical flaw can allow site takeover

A critical vulnerability in WordPress miniOrange's Malware Scanner and Web Application Firewall plugins can allow…

20 hours ago

The Aviation and Aerospace Sectors Face Skyrocketing Cyber Threats

Resecurity reported about the increasing wave of cyber incidents targeting the aerospace and aviation sectors.…

22 hours ago

Email accounts of the International Monetary Fund compromised

Threat actors compromised at least 11 International Monetary Fund (IMF) email accounts earlier this year,…

1 day ago

This website uses cookies.