Ransomware
Ransomware
actors
have
been
observed
to
expand
their
targets
by
increasingly
developing
Linux-based
versions.
Royal
ransomware
is
following
in
the
same
path,
a
new
variant
targeting
Linux
systems
emerged
and
we
will
provide
a
technical
analysis
on
this
variant
in
this
blog.
Ransomware actors
have
been
observed
to
expand
their
targets
by
increasingly
developing
Linux-based
versions.
We
predicted
in
September
2022
that
ransomware
groups
will
would
increasingly
target
Linux
servers
and
embedded
systems
in
the
coming
years
after
detecting
a
double-digit
year-on-year
(YoY)
increase
in
attacks
on
these
systems
in
the
first
half
of
2022.
In
May
2021
we
reported
ransomware
variants
of
DarkSide
and
in
May
2022
we
found
Cheerscrypt,
specifically
targeting
the
ESXi
servers,
which
are
widely
used
for
server
virtualization
by
enterprises.
Royal
ransomware
is
following
in
the
same
path,
a
new
variant
targeting
Linux
systems
emerged
and
we
will
provide
a
technical
analysis
on
this
variant
in
this
blog.
Royal’s
Linux
counterpart
also
targets
ESXi
servers,
a
target
expansion
which
can
create
a
big
impact
on
victimized
enterprise
data
centers
and
virtualized
storage.
Royal
ransomware
was
first
observed
in
September
2022,
and
the
threat
actors
behind
it
are
believed
to
be
seasoned
cybercriminals
who
used
to
be
part
of
Conti
Team
One.
Despite
being
detected
only
in
September
2022,
Royal
ransomware
was
among
the
three
most
prolific
ransomware
groups
in
the
fourth
quarter
last
year.
According
to
data
from
ransomware
groups’
leak
sites,
10.7%
were
attributed
to
Royal,
with
only
LockBit
and
BlackCat
ahead
of
it,
accounting
for
22.3%
and
11.7%
respectively.
Its
threat
actors
being
an
offshoot
from
Conti
may
be
the
reason
for
its
quick
claim
to
fame
as
soon
as
it
made
headlines
in
the
ransomware
landscape.
Upon
examining
the
ransomware’s
attacks,
we
learned
that
it
combines
old
and
new
techniques,
which
supports
the
theory
that
actors
behind
it
have
an
extensive
knowledge
of
the
ransomware
scene.
In
its
early
campaigns,
Royal
deployed
BlackCat’s
encryptor,
but
later
shifted
to
its
own
called
Zeon,
which
dropped
ransom
notes
similar
to
Conti’s.
Royal
later
rebranded
and
began
using
Royal
in
its
ransom
notes
generated
by
its
own
encryptor.
1.
Ransom
note
of
Royal
ransomware
Royal
ransomware
targeted
small
to
medium-sized
businesses
in
the
fourth
quarter
of
2022:
51.9%
of
its
victims
were
small
business,
while
26.8%
were
medium-sized.
Only
11.3%
of
its
victims
for
this
period
were
large
enterprises.
Among
its
victims,
the
IT,
finance,
materials,
healthcare,
and
food
and
staples
industries
were
its
top
targets.
Threat
actors
behind
Royal
focused
on
targets
in
North
America
during
the
last
quarter
of
2022,
which
accounted
for
three-quarters
of
its
victims
in
that
time
period.
Royal
also
targeted
enterprises
in
Europe,
Latin
America,
Asia
Pacific,
Africa,
and
the
Middle
East.
In
our
analysis,
we
found
that
Royal
ransomware
accepts
the
following
command-line
arguments:
|
Argument |
Description |
|
-id {32-byte characters} |
Will be used as the victim’s ID, which will be appended on the TOR link found in the dropped ransom note. The process exits if not provided, or if the provided characters are not 32 bytes long |
| -ep |
Used for full or partial encryption of file routine |
| -stopvm |
Used to terminate VM processes via EXSCLi |
| -vmonly | |
| -fork |
For creation of fork process |
| -logs |
Display logs of encrypted files |
Table
1.
Royal
ransomware
arguments
and
description
2.
Accepted
arguments
by
Royal
ransomware
The
“-id”
parameter,
like
Royal
ransomware’s
Win32
variant,
requires
32-byte
characters
in
order
to
proceed,
and
will
be
used
as
the
Victim’s
ID.
3.
Royal
ransomware
checks
-id
parameter
length
if
equal
to
32
bytes
The
“-path”
argument
from
earlier
Royal
ransomware
Win32
variants
was
removed
in
the
Linux
variant,
but
the
file
path
argument
is
still
required
in
order
to
execute
the
ransomware.
It
designates
the
first
argument
to
be
used
as
the
file
path
to
be
encrypted.
4.
Royal
ransomware
sets
the
file
path
as
first
argument
to
be
accepted
and
used
for
search_files
function
Inside
the
“stop_vm”
function,
Royal
ransomware
implements
the
following
command
to
terminate
VM
processes
using
ESXCLI.
esxcli
vm
process
kill
–type=hard
–world-id={
}
5.
Terminating
VM
processes
via
ESXCLI
Royal
ransomware
then
creates
a
specified
number
of
threads
depending
on
the
number
of
processors
of
the
infected
machine.
It
determines
the
number
of
processors
by
using
the
sysconf(84)
function,
multiplying
it
by
8
to
determine
the
number
of
threads
to
be
created.
By
doing
so,
it
significantly
increases
the
speed
of
the
“thread_func”
function
where
it
contains
the
encryption
routine
of
the
ransomware.
6.
The
Royal
ransomware
function
used
to
determine
number
of
threads
to
be
created
For
the
“search_files”
function,
Royal
ransomware
uses
the
“opendir”
function
to
open
a
specified
directory.
It
then
drops
the
ransom
note
“readme”
to
the
directory
and
then
calls
the
“readdir”
function
in
a
loop
to
read
all
entries
inside
the
directory.
It
then
checks
the
type
of
the
entry
if
it’s
a
directory
(d_type
==
4)
or
a
file
(d_type
==
8).
If
it’s
a
directory,
it
recursively
calls
the
“search_files”
function
on
the
entry.
7.
The
Royal
ransomware
search_files
function
If
the
entry
is
a
regular
file,
it
checks
the
filename
and
avoids
encrypting
the
following
files
with
the
following
names/extensions:
-
.royal_u -
.royal_w -
.sf -
.v00 -
.b00 -
royal_log_ -
readme
One
of
the
excluded
extensions,
“.royal_w”,
is
the
latest
appended
extension
of
the
Royal
ransomware.
We
assume
that
the
“royal_w”
and
“royal_u”
are
used
by
threat
actors
to
differentiate
encrypted
files
by
their
Windows
variant
(royal_w)
and
Linux
variants
(royal_u),
where
u
possibly
stands
for
Unix.
As
in
Royal
ransomware’s
Win32
variant,
it
also
uses
OpenSSL’s
Advanced
Encryption
Standard
(AES)
for
its
encryption.
8.
The
Royal
ransomware
RSA
Public
Key
is
hardcoded
in
the
binary
9.
Royal
ransomware
function
containing
the
encryption
routine
Royal
ransomware
threat
actors
also
implement
intermittent
encryption.
Using
the
-ep
parameter,
it
accepts
integers
from
0
to
100;
if
the
integer
exceeds
100
or
is
below
or
equal
to
0,
it
sets
the
value
to
50
and
will
be
used
as
a
parameter
for
intermittent
encryption.
10.
Royal
ransomware
function
which
checks
the
parameter
used
for
-ep
argument
Royal
ransomware
then
generates
the
AES
key
and
IV
using
the
following
function,
then
encrypts
it
using
RSA
encryption.
The
encrypted
AES
and
IV
key
will
also
be
appended
to
each
of
the
encrypted
files.
11.
Generation
of
AES
Key
and
IV
of
Royal
ransomware
If
the
RSA
encryption
is
successful,
it
then
rounds
up
the
file
to
multiples
of
16,
which
is
required
in
AES
encryption.
12.
Royal
ransomware
rounds
up
the
file
size
to
multiples
of
16
For
the
rounded-up
files,
Royal
ransomware
then
checks
if
the
size
is
less
than
or
equal
to
5,245,000
bytes
or
if
the
value
set
on
-ep
is
100.
If
one
of
the
conditions
is
met,
it
will
encrypt
the
whole
file.
For
files
greater
than
5,245,000
bytes,
the
encryption
will
take
place
per
certain
calculated
blocks
where
it
will
encrypt
the
first
N
bytes,
then
skip
the
next
N
bytes,
and
repeats
the
process.
13.
Royal
ransomware
checks
the
file
size
if
it
meets
specific
conditions
before
encrypting
14.
The
calculation
of
N
bytes
used
for
intermittent
encryption
used
by
Royal
ransomware
The
calculation
of
N
bytes
is
as
follows:
|
N = (X/10) * (Original File Size / 100) then rounded down to multiples of 16 |
*where
X
is
the
value
set
to
-ep
If
the
calculated
N
is
greater
than
1,024,000,
it
will
encrypt
1,024,000
block
instead.
15.
Royal
ransomware
checks
the
file
size
if
it
is
less
than
1,024,000
bytes
The
intermittent
encryption
technique
on
the
Linux
variant
shares
great
similarity
to
the
encryption
done
by
Royal
ransomware’s
Win32
variant,
which
aims
to
make
the
encryption
faster.
16.
Royal
ransomware’s
encryption
routine
Lastly,
Royal
ransomware
appends
the
“royal_u”
file
extension
for
the
encrypted
files
and
drops
its
ransom
note
into
the
directory.
17.
Some
of
Royal
ransomware’s
encrypted
files,
with
the
accompanying
ransom
note
This
new
variant
of
the
Royal
ransomware
expands
their
attacks
to
target
ESXi
servers,
causing
great
damage
to
their
victims.
As
the
threat
actors
behind
Royal
are
believed
to
be
seasoned
cybercriminals
from
Conti,
they
are
equipped
with
an
arsenal
of
knowledge
of
the
ransomware
scene
which
can
prove
to
be
a
great
risk
to
enterprises
as
we
expect
to
see
more
activity
from
the
ransomware
group
in
the
future.
Royal
ransomware
can
be
expected
to
develop
new
variants
for
wider
impact.
To
protect
systems
from
ransomware
attacks,
we
recommend
that
both
individual
users
and
organizations
implement
best
practices
such
as
applying
data
protection,
backup,
and
recovery
measures
to
secure
data
from
possible
encryption
or
erasure.
Conducting
regular
vulnerability
assessments
and
patching
systems
in
a
timely
manner
can
also
minimize
the
damage
dealt
by
ransomware
that
abuses
exploits.
We
advise
users
and
organizations
to
update
their
systems
with
the
latest
patches
and
apply
multi-layered
defense
mechanisms.
End
users
and
enterprises
alike
can
mitigate
the
risk
of
infection
from
new
threats
like
Royal
ransomware
by
following
these
security
best
practices:
-
Enable
multifactor
authentication
(MFA)
to
prevent
attackers
from
performing
lateral
movement
inside
a
network. -
Adhere
to the
3-2-1
rule when
backing
up
important
files.
This
involves
creating
three
backup
copies
on
two
different
file
formats,
with
one
of
the
copies
stored
in
a
separate
location. -
Patch
and
update
systems regularly.
It’s
important
to
keep
operating
systems
and
applications
up
to
date
and
maintain
patch
management
protocols
that
can
deter
malicious
actors
from
exploiting
any
software
vulnerabilities.
Indicators
of
Compromise
|
SHA256 |
Detection |
| b57e5f0c857e807a03770feb4d3aa254d2c4c8c8d9e08687796be30e2093286c | Ransom.Linux.ROYAL.THBOBBC |
| 06abc46d5dbd012b170c97d142c6b679183159197e9d3f6a76ba5e5abf999725 | Ransom.Linux.ROYAL.THBOBBC |
Tags
Authors
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
About Author
