After emerging in January 2022, Royal ransomware is a ransomware strain that is being distributed by ransomware threat actors from previous operations. Initially, Microsoft attributed the distribution of Royal ransomware to DEV-0569 – a temporary name given by the tech company. Now, researchers are stating that the threat actors behind Royal ransomware have officially branded themselves with the name Royal (the name left behind in recent ransomware notes) and they are primarily focused on targeting entities within the U.S
The ransomware operation uses unusual techniques to breach networks before encrypting them with malware and demanding ransom payments. Some Royal ransomware campaigns distribute the malware via malicious attachments, and some distribute the malware via malicious advertisements.
Although Royal is a newer ransomware operation, researchers believe the threat actors behind it are very experienced due to evidence of previously seen tactics and techniques. Let’s take a look at Royal, their tactics and techniques, and what organizations can do to protect themselves and keep their cyber environments safe.
In September 2022, the operators behind Royal ransomware began ramping up their malicious activities. They were observed by our technology partner, AdvIntel, utilizing other ransomware operation’s encryptors, such as BlackCat.
By November 2022, Royal took responsibility for a ransomware attack on one of the United Kingdom’s most popular racing circuits – Silverstone Circuit. The attack held up dozens of Formula One races and motorcycle events. Details regarding the attack were not disclosed, but Emsisoft threat analyst Brett Callow stated that because Royal’s ransomware is secure, its encryption cannot be broken. Callow also stated that unlike current ransomware groups, Royal uses multiple ransomware types and uses the .Royal extension for encrypted files rather than using randomly generated extensions.
The threat actors followed up this attack with an attack on the Travis Central Appraisal District in December 2022. The agency provides appraisal values for properties. As a result of the attack, the agency’s servers, website, and email were shut down for more than two weeks. However, because the agency diversified where its information was stored, it was able to continue operations.
Also in December 2022, the Department of Health and Human Services Cybersecurity Coordination Center (HC3) warned that Royal based ransomware attacks were steadily increasing. Ransom demands from the threat actor ranged from $250,000 to more than $2 million. HC3 also stated that Royal should be considered a threat to the health and public health sectors due to the ransomware group victimizing the healthcare community.
Initially Royal was using BlackCat’s encryptor but they transitioned to using their own Zeon encryptor, leaving behind a ransomware note that looked very similar to Conti’s ransomware notes. If you recall, Conti was notorious for targeting the healthcare sector as well. The threat actors behind the Zeon encryptor were seen impersonating healthcare patient data software back in October 2022.
Avertium’s technology partner, AdvIntel confirmed that the attackers contacted healthcare employees of targeted organizations and gained access via the Zoho remote access tool. Since the middle of September 2022, Royal has been using their branded name in their ransom notes generated by a new encryptor.
Image 1: A Zeon Ransomware Note
Source: Bleeping Computer
Currently, Royal is relying on malicious ads (malvertising), phishing links that point to a malware downloader masquerading as software installers, updates embedded in spam emails, fake forum pages, and blog comments to spread their ransomware. The group’s phishing attacks include callback phishing where they impersonate food delivery and software providers in emails that look like subscription renewals. The phishing emails contain phone numbers that the victim must contact to cancel the “subscription”. Once the victim calls the number, they speak to threat actors who use social engineering to convince the victim to install remote access software. This remote access software is used to gain initial access to corporate networks.
Royal are not a ransomware-as-a-service (RaaS) operation with affiliates, rather they work with vetted team members. The group is relatively low key and do not promote their attacks they way some other groups do. Their ransom note is named README.TXT and contains a link to a private Tor negotiation page unique to each victim. The negotiation page consists of a chat screen for communication with Royal ransomware operators. During negotiation, the group will decrypt a few files to prove that their decryptor works. They will also share file lists of stolen data at times. Their victim site is hosted on the Tor network and includes the victim name, a link to their website and a company profile. The will also post samples of exfiltrated files at the start of negotiations with links to the entire data set in the event that negotiations fail.
The following screenshot shows the Royal leak site with a victim that has had all data released and another that is still in negotiations:
Image 2: Royal's Newly Branded Ransomware Note
Source: Bleeping Computer
As previously stated, Royal ransomware emerged in January 2022, but their attacks were not noticed by security researchers until September 2022. Initially attributed to DEV-0569, Royal ransomware is distributed by vetted threat actors and the attacks using the ransomware show a pattern of continuous innovation. Royal has displayed a consistent incorporation of new defense evasion, techniques, and various post-compromise payloads.
Since Royal emerged, the ransomware operators have evolved their delivery methods to include:
The above methods have allowed the ransomware operators to reach a greater number of targets and achieve their goal of deploying various post-compromise payloads. Microsoft stated that Royal uses signed binaries and delivers encrypted malware payloads – relying heavily on defense evasion techniques.
The group has also continued to use Nsudo, an open-source tool, to try and disable antivirus solutions. As previously stated, Royal has a few ways of gaining initial access and one of those ways is via malicious links delivered to their targets. The links are embedded in advertisements, fake forum pages, phishing emails, and blog comments. After the victim clicks, the links lead them to malicious files signed by Royal using a legitimate certificate.
The malicious files masquerade as installers or updates for applications such as Zoom or Microsoft teams. The victim does not know that the files are malware downloaders known as BATLOADER. When the legitimate applications are launched, BATLOADER uses MSI Custom Actions to launch malicious PowerShell activity. BATLOADER also uses the MSI Custom Actions to run batch scripts that attempt to disable security solutions, leading to the delivery of various encrypted malware payloads.
Between August and October 2022, Royal’s observed activity included BATLOADER being hosted on attacker-created domains masquerading as software download sites such as anydeskos[.]com, and on legitimate repositories such as OneDrive and GitHub.
Image 3: BATLOADER Masquerading as a TeamViewer Installer
In addition to using installer files, Royal uses file formats such as Virtual Hard Disk (VHD) to impersonate legitimate software for first-stage payloads. Royal also uses various infection chains that use PowerShell and batch scripts, ultimately leading to the download of malware payloads such as a legitimate remote management tool used for persistence on the network. The management tool also acts as an access point for the staging and spreading of ransomware.
By late October 2022, Royal was using malicious Google Ads to deliver BATLOADER in what researchers are calling a malvertising campaign. The Google Ads pointed to the legitimate traffic distribution system (TDS) Keitaro. According to Microsoft, Keitaro provides capabilities to customize advertising campaigns via tracking and ad traffic and user or device-based filtering. The TDS redirects the victim to a legitimate download site or to a malicious BATLOADER download site. By using Keitaro, Royal can filter traffic and avoid IP ranges of known security sandboxing solutions.
Although there are no confirmed reports of successful ransomware payments between Royal and their victims, evolving ransomware groups like Royal don’t give up easily. They will keep evolving their tactics and techniques, targeting enterprises and organizations until they achieve their ultimate goal – financial gain. Fortunately, there are ways organizations can stay safe and protect themselves from Royal:
Making sure that your organization takes proactive measures by keeping track of Indicators of Compromise (IoCs) and by keeping track of Royal’s attack methods will ensure good defense against Royal ransomware.
It’s important to get ahead of the curve by being proactive with protecting your organization, instead of waiting to put out a massive fire. Avertium offers the following services to keep your organization safe:
The FBI, CISA, and HHS urge all organizations to apply the following recommendations to prepare for, mitigate/prevent, and respond to ransomware incidents:
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.
COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.