Royal Ransomware: Threat Analysis

A joint advisory by CISA and the FBI, released on March 23rd, 2023, signified the severe threat posed by Royal ransomware. When US federal agencies spread awareness about a ransomware group in this way, it’s because of consistently observed and often destructive attacks on target organisations. This article distils the essence of that U.S. advisory into an actionable threat analysis that may prove valuable for your business. We’ll cover where the Royal ransomware group emerged from, the key tactics observed in their ransomware attacks, and the main victims and targets of those attacks. The post concludes with some mitigation tips to help reduce the chances of your organisation becoming the next Royal ransomware victim.

Royal Ransomware Group: Origin and Overview

Royal is a new ransomware operation that emerged in early 2022. Early attack campaigns saw Royal threat actors deploying a ransomware variant created by the BlackCat group. However, Royal quickly switched to a custom ransomware strain named Zeon. The similarity to ransom notes used by the now disbanded Conti gang and the technical prowess of Royal attacks led security researchers to believe that Royal is an offshoot of Conti.

The group’s members significantly stepped up their malicious activities in September 2022, with a rebrand from Zeon to Royal. In the fourth quarter of 2022, Royal was one of the three most active ransomware gangs. Having previously only targeted Windows systems, there are now Linux variants of Royal ransomware.

Unlike several of the largest ransomware operations in recent years, Royal is not involved in ransomware-as-a-service (this is where groups create their own ransomware and lease it out to other affiliates to use in return for a commission or fee). The group is a strictly private operation, which probably points to expert hackers who know what they’re doing at all phases of ransomware attacks.

Royal Ransomware Attack Tactics

What’s vital to keep in mind about ransomware is that its eventual installation on your network typically involves a complex, multi-phase cyber-attack. These phases include getting initial access, establishing remote command and control of systems, figuring out how to move laterally, establishing persistent access, and concluding with an eventual installation of ransomware across multiple systems and files.

Royal Ransomware is no different in this regard, and the gang uses its own combination of preferred tactics across various attacks. Understanding these tactics serves as the foundation for selecting the best mitigation methods to keep Royal ransomware threat actors out and to hunt down indicators of compromise that can help contain the threat.

Initial Access Methods 

  • Callback phishing—this is a hybrid type of phishing that combines emails and phone calls. The initial email baits the victim into calling a specific phone number using a pretext related to an outstanding invoice, a subscription charge, or a fictitious security issue. Having dialled the number, the threat actor then convinces the victim to install a remote trojan or provide their login credentials for an app/service.
  • Remote Desktop Protocol (RDP)—employees working remotely often log in to on-premise systems using the popular Microsoft RDP service. The threat actors behind Royal have commonly hacked into RDP accounts as an initial access method. Obtaining valid credentials can come from phishing, buying stolen passwords on the dark web, or brute force hacking into RDP accounts that use weak passwords.
  • Public-facing applications—with companies today being increasingly app-driven, they have more Internet-exposed apps than ever. Threat actors can easily scan target networks and attempt to compromise vulnerabilities in public-facing apps to gain access. That’s exactly what the FBI observed Royal members doing in several attacks.

Command and Control

Moving beyond initial access, Royal ransomware attacks use several tools and methods for command and control (C2). Tools like Nsudo and Process Hacker have been used to uninstall or disable antivirus solutions. A tunnelling tool facilitates communication with remote command and control servers; Royal threat actors seem to favour Qakbot for their command and control infrastructure.

Lateral Movement

Once inside a host machine and able to communicate with their C2 infrastructure, Royal adversaries then run legitimate Windows services, such as PsExec on the compromised host to execute commands on another host (lateral movement). This lateral movement eventually reaches the point of seizing the domain controller account, which allows full control over authentication requests.

Data Exfiltration

Royal ransomware attacks use double extortion, which means they exfiltrate data from a victim’s network before installing a ransomware strain that locks down files and systems. The reasoning here is that victims are more likely to pay a ransom when there is a risk of stolen sensitive data being published on the web. The gang also deleted backup copies of files to prevent victims from simply restoring encrypted files.

Ransomware Installation and Encryption

The attack completes when adversaries install the Royal ransomware strain, which can encrypt files locally or across the network. The encryption technique works on a flexible percentage of a given file rather than fully encrypting the whole file). Partial encryption helps evade detection by anti-ransomware solutions on devices and networks.  A ransom note then directs the victim to a unique Tor URL where they negotiate with Royal threat actors about an appropriate fee.


Who Are Royal Ransomware’s Targets and Victims?

Interestingly, the joint federal U.S. advisory emphasised how Royal ransomware threat actors were targeting organisations in critical infrastructure sectors.
The sectors mentioned by the FBI and CISA include manufacturing, communications, and healthcare. This seems to point to large enterprises potentially being at the most risk, however, the statistics show that small and medium-sized businesses represented 85 per cent of victims in Royal ransomware attacks.

Some notable victims of previous Royal ransomware attacks include:

  • Silverstone Racetrack
  • Travis Central Appraisal District
  • Queensland University of Technology


Royal Ransomware Mitigation Tips

Secure Logins with Multi-factor Authentication

With initial access in these attacks commonly coming from phishing for credentials or through hacking remote desktop services, making multi-factor authentication mandatory (MFA) is an effective mitigation measure. While MFA is not fool proof, requiring an additional piece of evidence at login that proves a user’s identity beyond a username-password pair is far more secure.

Improve User Training and Awareness Around Social Engineering Techniques

One marker of successful cyber training and awareness programs is their adaptability. Cyber threats evolve all the time, and so do the social engineering techniques that threat actors deploy. It’s important to improve user training and awareness by incorporating material about callback phishing and other emerging patterns of activity (such as deep fake phishing). Empowering employees with this knowledge reduces their susceptibility to being duped by the latest social engineering techniques.

 Have Immutable Backups

Immutable backups can’t be changed in any way. Royal actors have been observed deleting so-called shadow volume copies of data to prevent companies from restoring this info from backups. By opting for a more comprehensive backup strategy, you can restore encrypted files and data easily to their original state.

Stress Test Your Defences

Lastly, it’s imperative to stress test your defences using an outside-in perspective. Ransomware gangs like Royal have skilled cyber hackers at their disposal who can find any weakness in your apps, infrastructure, or users. These hackers use intuition and experience to ruthlessly exploit even the smallest vulnerabilities.

DIESEC’s penetration testing service gives you that outside-in perspective with specialists who use real-life scenarios to test your cyber defences and uncover vulnerabilities. You can even go one step further with our red team exercises, which facilitate more spontaneity and creativity in testing scenarios.

Contact us here to find out more.