The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have recently released a cybersecurity advisory as part of their StopRansomware campaign. The advisory sheds light on the tactics, techniques, and procedures (TTPs) used by the Royal ransomware group and includes indicators of compromise associated with infection.
Emergence and High-Profile Attacks
The Royal ransomware operation made its first appearance in January 2022, and throughout that year, it carried out several high-profile attacks against organizations, including Silverstone Circuit and Queensland University of Technology. By the end of 2022, the Royal ransomware group had surged to the top of the monthly charts, surpassing LockBit in November 2022. This increase in attacks was likely due to a sharp rise in targeting organizations ahead of the holiday season.
Analysis of the Ransomware Group
Initially, the Royal ransomware group used the ALPHV/BlackCat ransomware as its preferred encryption tool. However, as the year progressed, the group developed its own encryption tool called Zeon, which bore similarities to Conti’s encryption tool, suggesting that members of the now-defunct Conti operation are involved in Royal. Since September 2022, the ransomware group has been using a variant of Zeon called Royal, which uses the “.royal” file extension on encrypted files and names itself “Royal” in the ransom notes.
Tactics, Techniques, and Procedures
The Royal ransomware group uses several techniques to gain initial access to target networks, including phishing attacks through emails containing malicious PDFs or malvertising that leads the victim to download malware. Other tactics used by the group include compromising Remote Desktop Protocol (RDP), exploiting public-facing applications, and using initial access brokers. A Tenable report on the Ransomware Ecosystem provides a deeper explanation of how ransomware operators gain access to their target networks.
Once the attackers gain access, they establish Command and Control (C2) communication with their C2 infrastructure, which may include C2s associated with Qakbot. After establishing communication with the C2s, the Royal actors download several tools, including remote monitoring and management software such as AnyDesk, LogMeIn, and Atera. These tools are used for lateral movement and persistence. Royal has also been observed compromising domain controllers and using Group Policy Objects to deactivate antivirus solutions.
To exfiltrate data, Royal uses Cobalt Strike and malware such as Ursnif/Gozi. Before encrypting the target’s files, Royal actors check if the files are being used or are blocked by applications using Windows Restart Manager. They also delete Volume Shadow Copies to prevent victims from restoring to a snapshot after the ransomware executes. Batch files perform several operations, such as creating new administrator accounts, modifying registry keys, executing and monitoring file encryption, and deleting original files and logs.
Indicators of Compromise
The ransomware leaves several files on affected systems, including encrypted files with the “.royal” extension, a README.TXT file in directories where there are encrypted files, and several batch files (.bat). The CSA also provides a list of IP addresses and domains used by the ransomware and hashes of tools, malware, and batch files used.
Identifying Affected Systems
To mitigate the risk of ransomware attacks, organizations can review Indicators of Exposure related to weak password policies, end-of-life operating systems, insufficient hardening against ransomware attacks, and auditing of privileged accounts. Tenable One Exposure Management Platform goes beyond traditional vulnerability management, including data about configuration issues, vulnerabilities, and attack paths across a spectrum of assets and technologies. This includes identity solutions such as Active Directory, cloud configurations and deployments, and web
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.