The
U.S.
Cybersecurity
and
Infrastructure
Security
Agency
(CISA)
is
warning
of
the
capabilities
of
the
recently
emerged
Royal
ransomware.
The
human-operated Royal
ransomware first
appeared
on
the
threat
landscape
in
September
2022,
it
has
demanded
ransoms
up
to
millions
of
dollars.
Unlike
other
ransomware
operations,
Royal
doesn’t
offer
Ransomware-as-a-Service,
it
appears
to
be
a
private
group
without
a
network
of
affiliates.
Once
compromised
a
victim’s
network,
threat
actors
deploy
the
post-exploitation
tool
Cobalt
Strike
to
maintain
persistence
and
perform
lateral
movements.
The
Royal
ransomware
is
written
in
C++,
it
infected
Windows
systems
and
deletes
all
Volume
Shadow
Copies
to
prevent
data
recovery.
The
ransomware
encrypts
the
network
shares,
that
are
found
on
the
local
network
and
the
local
drives,
with
the
AES
algorithm
The
Federal
Bureau
of
Investigation
(FBI)
and
the
Cybersecurity
and
Infrastructure
Security
Agency
(CISA)
released
a
joint
Cybersecurity
Advisory
(CSA) to
provide
organizations,
tactics,
techniques,
and
procedures
(TTPs)
and
indicators
of
compromise
(IOCs)
associated
with
this
ransomware
family.
According
to
government
experts,
the
Royal
ransomware
attacks
targeted
numerous critical
infrastructure
sectors including,
manufacturing,
communications,
healthcare
and
public
healthcare
(HPH),
and
education.
“FBI
and
CISA
believe
this
variant,
which
uses
its
own
custom-made
file
encryption
program,
evolved
from
earlier
iterations
that
used
“Zeon”
as
a
loader.”
reads
the
alert.
“After
gaining
access
to
victims’
networks,
Royal
actors
disable
antivirus
software
and
exfiltrate
large
amounts
of
data
before
ultimately
deploying
the
ransomware
and
encrypting
the
systems.”
Royal
operators
have
demanded
ransom
ranging
from
approximately
$1
million
to
$11
million
USD
worth
of
Bitcoin.
The
Royal
ransomware
can
either
fully
or
partially
encrypt
a
file
depending
on
its
size
and
the
‘-ep’
parameter.
The
malware
changes
the
extension
of
the
encrypted
files
to
‘.royal’.
Royal
ransomware
actors
gain
initial
access
to
victim
networks
in
multiple
ways,
in
the
majority
of
the
attacks
threat
actors
used
phishing
messages.
The
actors
also
gained
access
through
Remote
Desktop
Protocol
(RDP),
by
exploiting
public-facing
applications,
and
through
initial
access
brokers.
The
threat
actors
rely
on
legitimate
Windows
software
to
strengthen
their
foothold
in
the
victim’s
network,
they
often
use
open-source
projects
to
carry
out
intrusion
activities.
The
operators
have
recently
been
observed
using
the
Chisel
tunneling
tool
for
C2
communication.
FBI
has
observed
multiple
Qakbot
C2s
used
in
Royal
ransomware
attacks,
but
it
is
still
unclear
if
Royal
ransomware
exclusively
uses
Qakbot
C2s.
The
threat
actors
often
use
RDP
for
lateral
movements
along
with
the
Microsoft
Sysinternals
tool
PsExec.
FBI
also
observed
Royal
actors
using
remote
monitoring
and
management
(RMM)
software,
such
as
AnyDesk,
LogMeIn,
and
Atera,
to
maintain
persistence
in
the
victim’s
network.
“In
some
instances,
the
actors
moved
laterally
to
the
domain
controller.
In
one
confirmed
case,
the
actors
used
a
legitimate
admin
account
to
remotely
log
on
to
the
domain
controller
[T1078].
Once
on
the
domain
controller,
the
threat
actor
deactivated
antivirus
protocols
[T1562.001]
by
modifying
Group
Policy
Objects
[T1484.001].”
continues
the
alert.
In
December
2022,
the
US
Department
of
Health
and
Human
Services
(HHS)
warned
healthcare
organizations
of
Royal
ransomware
attacks.
In
February
2023,
Royal
operators
added
support
for
encrypting
Linux
devices
and
target
VMware
ESXi
virtual
machines.
Follow
me
on
Twitter:
@securityaffairs
and
Facebook
and
Mastodon
(SecurityAffairs –
hacking,
ransomware)
Share
On
About Author
%20v1.1.jpg#keepProtocol "Request for Comments: Mobile Payments on COTS (MPoC) v1.1")