Royal (cyber gang)

Royal
Formation	2022
Type	Hacking
Purpose	Money

Last updated February 23, 2024

Royal is a cybercriminal ransomware organization known for its aggressive targeting, its high ransom demands, and its use of double extortion (where compromised data is not only encrypted, but also exfiltrated). Royal does not use affiliates.

Description

The group behind Royal ransomware is an experienced and skilled group that employs a combination of old and new techniques. They use callback phishing to trick victims into downloading remote desktop malware, which enables the threat actors to easily infiltrate the victim's machine. Royal is reportedly a private group without any affiliates.^[1]

Royal ransomware employs a unique approach to encryption allowing the threat actor to selectively encrypt a specific percentage of data within a file. By doing so, the actor can lower the encryption percentage for larger files, making it harder to detect their malicious activities. In addition to encrypting files, Royal actors also employ a double extortion tactic : they threaten to publicly release the encrypted data unless the victim pays the ransom demanded.^[2] Additionally, they employ intermittent encryption to speed up the encryption process of victim's files while avoiding detection from systems that monitor heavy file IO operations.^[1]

In addition to making headlines, the Royal ransomware group has demonstrated an ability to adapt quickly to new tactics. They have developed Linux-based variants and expanded their targets to include ESXi servers, which can have a significant impact on victimized enterprise data centers and virtualized storage.^[1]

Targets

According to Trend Micro's data, the United States has been the primary target of Royal ransomware, Brazil follows. Most of the victim organizations affected by Royal ransomware were small to medium-sized businesses, with only a small portion being large enterprises.^[1]

According to a CISA, Royal ransomware attacks have targeted various critical infrastructure sectors, including chemicals, communications, critical manufacturing, dams, defense industrial bases, financial services, emergency services, healthcare, nuclear reactors, waste, and materials sectors.^[2]^[1]

ATT&CK TTPs

In 2023, the United States Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) jointly issued an advisory providing information on Royal ransomware's tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations defend against such attacks.^[2]^[1]

To gain initial access to victim networks, Royal actors use various methods. One common method is through phishing emails, which account for about 66.7% of incidents. Victims unknowingly install malware that delivers Royal ransomware after clicking on links or opening malicious PDF documents in these phishing emails. Another method is compromising Remote Desktop Protocol (RDP), which accounts for 13.3% of incidents. Royal actors also exploit vulnerabilities in public-facing applications to gain initial access. There are reports suggesting that Royal actors may also leverage brokers to obtain access by harvesting VPN credentials from stolen logs.^[2]

Once inside the network, Royal actors communicate with a command and control (C2) infrastructure and download multiple tools to strengthen their presence. They often repurpose legitimate Windows software to further secure their position within the victim's network. Royal actors have been observed using Chisel, a tunneling tool transported over HTTP and secured via SSH, to communicate with their C2 infrastructure. While multiple Qakbot C2s have been detected in Royal ransomware attacks, it is yet to be determined if Royal ransomware exclusively employs them.^[2]

To move laterally across the network, Royal actors frequently use RDP. They have also been known to use Microsoft Sysinternals tool PsExec for this purpose. In some instances, they exploit remote monitoring and management (RMM) software like AnyDesk, LogMeIn, and Atera for persistence within the victim's network. These actors have even escalated their access to the domain controller, where they deactivate antivirus protocols by modifying Group Policy Objects.^[2]

During exfiltration, Royal actors repurpose legitimate cyber pentesting tools such as Cobalt Strike, as well as malware tools like Ursnif/Gozi, to aggregate and exfiltrate data from victim networks. It has been noted that their initial hop in exfiltration and other operations often involves a U.S. IP address. Notably, a tool repository used by Royal was identified at IP: 94.232.41[.]105 in December 2022, which included Cobalt Strike.^[2]

Before initiating the encryption process, Royal actors employ certain techniques. They use the Windows Restart Manager to check if targeted files are in use or blocked by other applications. Additionally, they use the Windows Volume Shadow Copy service (vssadmin.exe) to delete shadow copies, preventing system recovery. The FBI has discovered numerous batch (.bat) files on impacted systems, typically transferred as an encrypted 7zip file. These batch files create a new admin user, force a group policy update, set relevant registry keys to auto-extract, execute the ransomware, monitor the encryption process, and ultimately delete files upon completion, including Application, System, and Security event logs.^[2]

History

The gang has been active since January 2022 and was initially known as "Zeon" before rebranding as "Royal".^[1]

In September 2022, it gained attention among cybersecurity researchers after a news site published an article about the group's targeted attack campaigns using callback phishing techniques.^[1]

In its early campaigns, Royal ransomware used the encryptor tool called "BlackCat", but later developed its own encryptor that generated ransom notes similar to those of the Conti ransomware group. After the rebranding, they exclusively used the term "Royal" in their ransom notes.^[1]

Royal ransomware quickly gained recognition as one of the most prolific ransomware groups in the fourth quarter of 2022, ranking only behind LockBit and BlackCat. According to data from the leak sites of these ransomware groups, Royal accounted for 10.7% of the successful attacks during that three-month period. Its association with the Conti ransomware group may have contributed to its rapid rise in the ransomware landscape.^[1]

On December 7, 2022, the United States Department of Health and Human Services (HHS) issued a warning to healthcare organizations about the threats posed by the Royal ransomware. Reports indicate that ransom demands by the group range from $250,000 to over $2 million.^[1]

On November 2023, the FBI and the CISA warn that Royal ransomware gang may rebrand as "BlackSuit"^[3] after the testing of an encryptor called BlackSuit by the gang.^[4]

Related Research Articles

Ransomware is a type of cryptovirological malware that permanently block access to the victim's personal data unless a ransom is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

The CryptoLocker ransomware attack was a cyberattack using the CryptoLocker ransomware that occurred from 5 September 2013 to late May 2014. The attack utilized a trojan that targeted computers running Microsoft Windows, and was believed to have first been posted to the Internet on 5 September 2013. It propagated via infected email attachments, and via an existing Gameover ZeuS botnet. When activated, the malware encrypted certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers. The malware then displayed a message which offered to decrypt the data if a payment was made by a stated deadline, and it threatened to delete the private key if the deadline passes. If the deadline was not met, the malware offered to decrypt data via an online service provided by the malware's operators, for a significantly higher price in bitcoin. There was no guarantee that payment would release the encrypted content.

Operation Tovar is an international collaborative operation carried out by law enforcement agencies from multiple countries against the Gameover ZeuS botnet, which is believed by the investigators to have been used in bank fraud and the distribution of the CryptoLocker ransomware.

TeslaCrypt was a ransomware trojan. It is now defunct, and its master key was released by the developers.

Linux.Encoder is considered to be the first ransomware Trojan targeting computers running Linux. There are additional variants of this Trojan that target other Unix and Unix-like systems. Discovered on November 5, 2015, by Dr. Web, this malware affected at least tens of Linux users.

Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them between 2010 and 2021. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

Internet security awareness or Cyber security awareness refers to how much end-users know about the cyber security threats their networks face, the risks they introduce and mitigating security best practices to guide their behavior. End users are considered the weakest link and the primary vulnerability within a network. Since end-users are a major vulnerability, technical means to improve security are not enough. Organizations could also seek to reduce the risk of the human element. This could be accomplished by providing security best practice guidance for end users' awareness of cyber security. Employees could be taught about common threats and how to avoid or mitigate them.

REvil was a Russia-based or Russian-speaking private ransomware-as-a-service (RaaS) operation. After an attack, REvil would threaten to publish the information on their page Happy Blog unless the ransom was received. In a high profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products. In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members.

Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian, who target organizations rather than individual consumers.

Emsisoft Ltd. is a New Zealand-based anti-virus software distributed company. They are notable for decrypting ransomware attacks to restore data.

DarkSide is a cybercriminal hacking group, believed to be based in Russia, that targets victims using ransomware and extortion; it is believed to be behind the Colonial Pipeline cyberattack. It is thought that they have been able to hack and extort money from around 90 companies in the USA alone. The group provides ransomware as a service.

Conti is a ransomware hacker group that has been observed since 2020, believed to be distributed by a Russia-based group. It operates as a ransomware-as-a-service (RaaS), enabling other cybercriminals to deploy this malware for their own purposes. Conti is particularly known for its utilization of double extortion techniques, where it not only encrypts victim's files but also steals and threatens to publish sensitive data if the ransom is not paid.

Wizard Spider, also known as Trickbot, DEV-0193, UNC2053, or Periwinkle Tempest, is a cybercrime group based in and around Saint Petersburg in Russia. Some members may be based in Ukraine. They are estimated to number about 80, some of them may not know they are employed by a criminal organisation.

Vice Society is a hacking group known for ransomware extortion attacks on healthcare, educational and manufacturing organizations. The group emerged in the summer of 2021 and is believed to be Russian-speaking. Vice Society uses double extorsion and does not operate a ransomware as a service model.

Ransomware as a service (RaaS) is a cybercrime business model where ransomware operators write software and affiliates pay to launch attacks using said software. Affiliates do not need to have technical skills of their own but rely on the technical skills of the operators.

Hive was a ransomware as a service (RaaS) operation carried out by the eponymous cybercrime organization between June 2021 and January 2023. The group's purpose was to attack mainly public institutions to subsequently demand ransom for release of hijacked data.

Clop is a cybercriminal organization known for its multilevel extortion techniques and global malware distribution. It has extorted more than $500 million in ransom payments, targeting major organizations worldwide. Clop gained notoriety in 2019 and has since conducted high-profile attacks, using large-scale phishing campaigns and sophisticated malware to infiltrate networks and demand ransom, threatening to expose data if demands are not met.

LockBit is a cybercriminal group proposing ransomware as a service (RaaS). Software developed by the group enables malicious actors who are willing to pay for using it to carry out attacks in two tactics where they not only encrypt the victim's data and demand payment of a ransom, but also threaten to leak it publicly if their demands are not met.

BlackCat, also known as ALPHV and Noberus is a ransomware family written in Rust, that made its first appearance in November 2021. By extension, it's also the name of the threat actor(s) that exploit it.

Rhysida is a ransomware group that encrypts data on victims' computer systems and threatens to make it publicly available unless a ransom is paid. The group uses eponymous ransomware-as-a-service techniques, targets large organisations rather than making random attacks on individuals, and demands large sums of money to restore data. The group perpetrated the notable 2023 British Library cyberattack and Insomniac Games data dump. It has targeted many organisations, including some in the US healthcare sector, and the Chilean army.

References

1 2 3 4 5 6 7 8 9 10 11 "Ransomware Spotlight: Royal – Security News". www.trendmicro.com. Retrieved 2023-07-11.
1 2 3 4 5 6 7 8 "#StopRansomware: Royal Ransomware | CISA". www.cisa.gov. 2023-03-02. Retrieved 2023-07-11.
↑ "CISA, FBI warn that Royal ransomware gang may rebrand as 'BlackSuit'". therecord.media. Retrieved 2024-02-06.
↑ "Royal ransomware gang adds BlackSuit encryptor to their arsenal". BleepingComputer. Retrieved 2024-02-06.