What Is Royal Ransomware?

Analysts believe that Royal ransomware first emerged in January 2022, and it was quite active in the last part of that year. In late 2022, Royal was among the most prolific ransomware groups, along with LockBit and BlackCat. The Royal ransomware gang is thought to be a Russian-speaking group that uses advanced techniques for infiltration and exfiltration. Analysts at Trend Micro and other security firms believe that Royal is a rebranding of Zeon ransomware. Royal also shares many similarities with other forms of ransomware. For example, Royal initially used the encryptor from BlackCat ransomware and later dropped ransom notes that were similar to Conti ransomware. Researchers thus suspect the group is made up primarily of former members of the Conti ransomware group, which previously had connections to Ryuk ransomware. This suggests the operators have many years of experience in carrying out sophisticated cyberattacks. As of late 2023, authorities suspect the Royal gang may be rebranding itself as BlackSuit ransomware, since both groups use similar code and methodologies. The Royal ransomware group has targeted many critical infrastructure sectors, including chemical, communications, manufacturing, dams, defense industry, financial services, healthcare, waste, nuclear energy, and emergency services. As of November 2023, Royal had targeted more than 350 known victims worldwide, collecting ransom payments that totaled more than $275 million.

The threat actors behind Royal cyberattacks often use phishing and spear-phishing emails as well as callback phishing scams to disseminate the ransomware. A callback phishing scam dupes users into installing remote access malware that allows the ransomware gang to easily infiltrate the user’s machine. Additional attack vectors and initial access tactics include:

• Embedding Royal code in malware threats like Batloader and IcedID

• Using Trojans — legitimate software that has been weaponized with malware and that’s made available for download on authentic-looking sites

• Abusing Remote Desktop Protocol (RDP) applications

• Exploiting vulnerabilities in web-facing assets

• Abusing business website contact forms to spread malicious links

• Malvertising through Google ads

Once Royal ransomware has infected a victim’s IT environment, the ransomware operators use various tactics, techniques, and procedures (TTPs) to maximize the impact of the attack.

• Evade defenses. To evade defenses, Royal uses tools like PCHunter and Process Hacker to manually uninstall antivirus products on the victim’s machines.

• Perform reconnaissance. Using tools like NetScan, PsExec, and AdFind, Royal ransomware collects data about the victim’s Active Directory and connected systems. The Royal operators may also download additional second-stage payloads.

• Escalate privileges. Attackers use lateral movement to harvest credentials from infected hosts and to compromise cloud service accounts.

• Exfiltrate data. After identifying high-value targets during reconnaissance, Royal exfiltrates sensitive data using legitimate pen testing tools like Cobalt Strike.

• Prevent recovery. Royal deletes volume shadow copies before encrypting files, preventing victims from using Windows System Restore to recover data.

• Encrypts files. Royal encrypts files using a 64-bit executable written in C++ for encrypting files on Microsoft Windows systems. To evade anti-ransomware defenses, Royal uses partial encryption to encrypt a predetermined portion of file content. Royal also uses multiple threads to accelerate the encryption process. Encrypted files are marked with the file extension “.royal”.

• Demand a ransom. Royal threat actors typically do not include ransom amounts in the initial ransom note. Instead, a README.txt file in each affected directory directs victims to a Tor-based portal for communication with the ransomware group.

To prevent and detect Royal ransomware attacks, IT and security teams must adopt multiple layers of mitigations and defenses.

• Microsegmentation: Narrowly segmenting networks and individual assets prevents attackers from moving laterally through the network, limiting the potential damage of a Royal ransomware attack.

• Continuous monitoring: IT teams should monitor for the latest indicators of compromise and configure alerts for activation of Cobalt Strike and similar tools, and for disablement of any antivirus software.

• Zero Trust architecture: Adopting a Zero Trust approach to security mitigates ransomware by requiring all users and devices to authenticate on every request and by strictly limiting access privileges.

• Cybersecurity defenses: To achieve a strong cybersecurity posture, IT teams may deploy firewalls, antivirus software, anti-malware technology, email filtering, application allowlisting, and other defenses that are informed by up-to-the-minute threat intelligence.

• Security audits: Regularly auditing and assessing security controls helps to identify and remediate vulnerabilities in the network.

• Security training: Educating employees on best practices for cybersecurity hygiene can help them to spot and avoid phishing emails and other threats.

• Backups: Regularly backing up data and keeping a copy in offline storage enables IT teams to quickly restore data in the event of an attack.

• Identity and access management (IAM): Multi-factor authentication and the use of strong passwords prevents unauthorized access by ransomware operators.

• Endpoint security: Endpoint detection and response (EDR) solutions monitor and restrict executable paths to minimize the risk of ransomware on individual devices like mobile phones, laptops, and PCs.

• Updates and patches: To remediate vulnerabilities in software and operating systems that attackers may exploit, IT teams must adopt an optimal cadence for installing updates and applying patches.

As with many other forms of ransomware, eradication requires IT teams to perform several key steps as part of a well-crafted incident response plan.

• Isolate infected systems: Any infected machines or drives should immediately be disconnected from the internet, the network, and any other systems to prevent additional infection.

• Contact professionals: Security firms that specialize in ransomware removal can offer expert support in the aftermath of a ransomware attack.

• Identify the infection: By identifying the strain of ransomware, IT teams can determine the best way to eradicate the code and search for any potential decryption tools.

• Remove the ransomware: Using special tools, IT teams may clean affected drives, remove exploit kits, and remediate any vulnerabilities that attackers may have used to reinstall the ransomware.

• Recover data: IT teams can then restore files from a clean backup copy.

• Contact authorities: The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) urge all victims to report ransomware incidents to local offices whether a ransom was paid or not.