Feds Share Technical Details of Royal Ransomware
A joint cybersecurity advisory has been published by CISA and the FBI, sharing details of the tactics, techniques, and procedures (TTPs) used by the Royal ransomware gang and Indicators of Compromise (IoCs) to help network defenders better protect against attacks.
Royal Ransomware is a relatively new threat actor that was first observed conducting attacks in 2022. The group is believed to consist of highly experienced cybercriminals who are well-versed in conducting ransomware attacks, including operators that were once part of Conti Team One. Conti was one of the most prolific ransomware groups over the past 3 years and was formed by the group behind Ryuk ransomware. Royal has previously used the encryptors of other ransomware operations, then switched to using its own – Royal – in September 2022, and has now overtaken Lockbit to become the main player in the ransomware market.
Like Conti and Ryuk before it, the Royal ransomware group is focused on attacks in the United States, especially critical infrastructure entities, including those operating in the healthcare and public health sector. The group uses a variety of methods to gain initial access to victims’ networks, with phishing the most common initial access vector. Phishing has been used in 67% of known attacks, where employees at victim organizations are tricked into installing a malware loader via emails with PDF attachments, which deliver the Royal ransomware payload. The group is also known to use malicious adverts – malvertising – to direct traffic to websites where malware is downloaded.
Remote Desktop Compromise (RDP) has been used in around 13% of attacks and, to a lesser extent, the group also gains access to networks through public-facing applications and buys access through initial access brokers who harvest virtual private network credentials from stealer logs. Once access is gained, the group downloads a range of tools to strengthen the foothold in victims’ networks, then escalates privileges and moves laterally, including leveraging PsExec for lateral movement. The group is known to maintain persistence using various remote monitoring and management tools, including AnyDesk, LogMeIn, and Atera, and has been observed using the penetration testing tool, Cobalt Strike, and Ursnif/Gozi for data exfiltration. The group uses Windows Restart Manager to identify where targeted files are in use or are blocked by other applications, uses the Windows Volume Shadow Copy service to delete shadow copies to hamper attempts to recover files without paying the ransom, and exfiltrates data to a U.S. IP address before triggering the encryption routine.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
CISA and the FBI strongly recommend taking immediate action to improve defenses against attacks, including prioritizing and remediating known exploited vulnerabilities, training the workforce how to identify phishing attempts, and enabling and enforcing multifactor authentication. Full IoCs and TTPs are detailed in the cybersecurity alert. An Analyst Note on Royal Ransomware has also been published by the Health Sector Cybersecurity Coordination Sector.
