How Royal Ransomware is Spreading its Wings and How to Prevent It
The prevalence of ransomware attacks is on the rise in recent years, and Royal Ransomware is one of the most notorious threats. It is a type of malware that encrypts the victim’s files and demands a ransom payment in exchange for the decryption key. The Royal Ransomware has been in circulation since 2016, and it has been spreading its wings ever since. In this article, we will discuss the background of Royal Ransomware, its exploitation Tactics, Techniques, and Procedures (TTPs), and how to prevent Royal Ransomware attacks.
Background of Royal Ransomware:
Royal Ransomware is a type of file-encrypting malware that emerged in 2016. It is a variant of the Cerber Ransomware, which is a family of ransomware that has been active since 2016. Royal Ransomware is known for its high level of sophistication and its ability to evade traditional security measures. The attackers behind the Royal Ransomware use various techniques to infect their victims, such as phishing emails, malvertising, and exploit kits.
According to CISA “Since approximately September 2022, cyber criminals have compromised U.S. and international organizations with a Royal ransomware variant. FBI and CISA believe this variant, which uses its own custom-made file encryption program, evolved from earlier iterations that used “Zeon” as a loader. Royal actors have made ransom demands ranging from approximately $1 million to $11 million USD in Bitcoin. In observed incidents, Royal actors do not include ransom amounts and payment instructions as part of the initial ransom note. Instead, the note, which appears after encryption, requires victims to directly interact with the threat actor via a .onion URL (reachable through the Tor browser).”
Royal Ransomware Note
Exploitation Tactics, Techniques, and Procedures (TTPs) of Royal Ransomware:
The attackers behind the Royal Ransomware use various tactics, techniques, and procedures to infect their victims and evade detection. Here are some of the TTPs of Royal Ransomware:
-
Phishing emails [T1566]:
The attackers behind the Royal Ransomware use phishing emails to lure their victims into clicking on a malicious link or downloading a malicious attachment. The emails are usually disguised as legitimate emails from reputable organizations, such as banks, government agencies, or well-known brands.
-
Malvertising:
Malvertising is a type of online advertising that delivers malware to the victim’s computer when they click on a malicious ad. The attackers behind the Royal Ransomware use malvertising to spread their malware to a large number of victims quickly.
-
Exploit kits:
Exploit kits are toolkits that hackers use to take advantage of vulnerabilities in the victim’s computer. The attackers behind the Royal Ransomware use exploit kits to infect their victims’ computers with malware.
-
Public-facing applications:
FBI has also observed Royal actors gain initial access through exploiting public-facing applications [T1190].
-
Remote Desktop Protocol (RDP) attacks [T1021.001]:
The attackers behind the Royal Ransomware also use RDP attacks to gain access to the victim’s computer. RDP is a protocol that allows users to remotely access a computer over a network connection. The attackers use brute-force attacks to guess the victim’s RDP credentials and gain access to their computer.
MITRE ATT&CK TECHNIQUES
Here are some identified Royal Actors ATT&CK Techniques for Enterprise (Source: CISA)
| Initial Access | ||
|---|---|---|
| Technique Title | ID | Use |
| Exploit Public Facing Application | T1190 | The actors gain initial access through public-facing applications. |
| Phishing: Spear phishing Attachment | T1566.001 | The actors gain initial access through malicious PDF attachments sent via email. |
| Phishing: Spearphishing Link | T1566.002 | The actors gain initial access using malvertising links via emails and public-facing sites. |
| External Remote Services | T1133 | The actors gain initial access through a variety of RMM software. |
| Command and Control | ||
| Technique Title | ID | Use |
| Ingress Tool Transfer | T1105 | The actors used C2 infrastructure to download multiple tools. |
| Protocol Tunneling | T1572 | The actors used an encrypted SSH tunnel to communicate within C2 infrastructure. |
| Privilege Escalation | ||
| Technique Title | ID | Use |
| Valid Accounts: Domain Accounts | T1078.002 | The actors used encrypted files to create new admin user accounts. |
| Defense Evasion | ||
| Technique Title | ID | Use |
| Impair Defenses: Disable or Modify Tools | T1562.001 | The actors deactivated antivirus protocols. |
| Domain Policy Modification: Group Policy Modification | T1484.001 | The actors modified Group Policy Objects to subvert antivirus protocols. |
| Indicator Removal: Clear Windows Event Logs | T1070.001 | The actors deleted shadow files and system and security logs after exfiltration. |
| Remote Desktop Protocol | T1021.001 | The actors used valid accounts to move laterally through the domain controller using RDP. |
| Automated Collection | T1119 | The actors used registry keys to auto-extract and collect files. |
| Impact | ||
| Technique Title | ID | Use |
| Data Encrypted for Impact | T1486 | The actors encrypted data to determine which files were being used or blocked by other applications. |
How To Prevent Royal Ransomware Attacks:
In addition to having regular backups, implementing multifactor authentication, and disabling unused ports, having an advanced threat detection and prevention solution like ThreatResponder is necessasary.
NetSecurity’s ThreatResponder is a comprehensive, cloud-native solution that provides organizations with an all-in-one solution for preventing cyber attacks. Some of the key features of ThreatResponder include:
- Endpoint Security: ThreatResponder includes robust endpoint security capabilities that help protect against threats and prevent data loss.
- Threat Hunting: The solution includes a threat hunting capability that enables organizations to proactively search for and identify potential threats.
- Forensic Investigation: ThreatResponder provides a comprehensive forensic investigation capability thathelps organizations understand the root cause of a cyber attack and respond accordingly.
- Vulnerability Management: ThreatResponder includes a vulnerability management capability that helps organizations identify and remediate vulnerabilities in their systems.
- Real-Time Access to Endpoints: The solution provides real-time access to endpoints, enabling organizations to quickly and effectively respond to threats and contain them.
- Threat Intelligence: ThreatResponder provides real-time threat intelligence that helps organizations stay ahead of the latest cyber threats.
In addition to these features, ThreatResponder also provides advanced analytics capabilities that help organizations quickly identify and respond to potential threats. The solution is designed to be easy to use, allowing organizations to quickly implement and start using it to prevent cyber attacks.
Want to try our ThreatResponder, cutting-edge Endpoint Detection & Response (EDR), and ThreatResponder FORENSICS, the Swiss knife for forensic investigators in action? Click on the below button to request a free demo of our NetSecurity’s ThreatResponder platform.
Disclaimer
The page’s content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that NETSECURITY CORPORATION copyrights the contents of this page. Any violation/misuse/unauthorized use of this content “as is” or “modified” shall be considered illegal and subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).
