The US Cybersecurity and Infrastructure Security Agency (CISA) has published a new advisory about Royal ransomware, which emerged in the threat landscape last year.
“After gaining access to victims’ networks, Royal’s actors disable antivirus software and extract large amounts of data before finally deploying ransomware and encrypting systems,” CISA said.
The custom ransomware program, which has targeted US and international organizations since September 2022, is believed to have evolved from earlier iterations that were dubbed Zeon.
Furthermore, it is said to be operated by experienced threat actors who used to be part of Conti Team One, cybersecurity firm Trend Micro revealed in December 2022.
The ransomware group employs callback phishing as a means to deliver its ransomware to victims, a technique widely adopted by criminal groups that spun off from the Conti company last year after its closure.
Other modes of initial access include Remote Desktop Protocol (RDP), exploitation of public applications, and through Initial Access Brokers (IABs).
Ransom demands made by Royal range from $1 million to $11 million, with attacks targeting a variety of critical sectors, including communications, education, healthcare, and manufacturing.
“Royal ransomware uses a unique partial encryption approach that allows the threat actor to choose a specific percentage of data in a file to encrypt,” CISA noted. “This approach allows the actor to lower the encryption percentage for larger files, which helps to evade detection.”
Discover the hidden dangers of third-party SaaS applications
Are you aware of the risks associated with third-party application access to your company’s SaaS applications? Join our webinar to learn about the types of permits that are issued and how to minimize risk.
RESERVE YOUR SEAT
The cybersecurity agency said that multiple command and control (C2) servers associated with Qakbot have been used in Royal ransomware intrusions, although it has not currently been determined whether the malware relies exclusively on Qakbot’s infrastructure.
The intrusions are also characterized by the use of Cobalt Strike and PsExec for lateral movement, as well as relying on the Windows Volume Shadow Copy Service to delete shadow copies to prevent system recovery. Cobalt Strike is further reused for data aggregation and exfiltration.
As of February 2023, Royal ransomware is capable of attacking Windows and Linux environments. It has been linked to 19 attacks in the month of January 2023 alone, placing it behind LockBit, ALPHV, and Vice Society.