U.S. agencies are warning critical infrastructure organizations to be on the lookout for Royal ransomware, a financially motivated threat actor that has been targeted manufacturing, communications, healthcare and education entities since September 2022.
In a joint advisory, the FBI and U.S. Cybersecurity and Infrastructure Security Agency say the Royal ransomware actors have compromised U.S. and international organizations with a Royal ransomware variant that authorities believe uses its own custom-made file encryption program.
After gaining access to victim networks, via phishing, remote desktop protocol, public-facing applications and initial access brokers, Royal actors disable antivirus software and exfiltrate large amounts of data before deploying the ransomware and encrypting systems. However, the most common initial access vector was phishing, which makes up two-thirds of known cases.
Ransom demands have ranged from about $1 million to $11 million in Bitcoin.
In incidents observed by authorities, Royal actors do not include ransom amounts and payment instructions as part of the initial ransom note, and instead the note appears after encryption and instructs victims to interact with the threat actor via a .onion URL through the Tor browser.
The Royal ransomware actors use command and control (C2) infrastructure once they gain initial access to download tools, and they use legitimate Windows software to maintain persistence.
“Royal operators have recently been observed using Chisel, a tunneling tool transported over HTTP and secured via SSH to communicate with their C2 infrastructure,” agencies say. “FBI has observed multiple Qakbot C2s used in Royal ransomware attacks, but has not yet determined if Royal ransomware exclusively uses Qakbot C2s.”
To move laterally across the network, actors use RDP and Microsoft Sysinternals tool PsExec. In addition, actors have been observed using remote monitoring and management (RMM) software, such as AnyDesk, LogMeIn, and Atera, for persistence in the victim’s network.
In sone instances, threat actors moved laterally to the domain controller, including using a legitimate admin account to remotely log onto the domain controller. Once there, they can deactivate antivirus controls via Group Policy Objects.
Like other cybercriminals, Royal actors use legitimate cyber penetration testing tools such as Cobalt Strike, and malware tools and derivatives, such as Ursnif/Gozi, for data aggregation and exfiltration. Royal actors’ first hop in exfiltration and other operations is usually a U.S. IP address, agencies say.
Before starting the encryption process, Royal ransomware actors use Windows Restart manager to determine whether targeted files are currently in use or blocked, and Windows Volume Shadow Copy service to delete shadow copies to prevent system recovery, the advisory says.
Authorities have found numerous batch (.bat) files on impacted systems which are typically transferred as an encrypted 7zip file. Batch files create a new admin user, force a group policy update, set pertinent registry keys to auto-extract and execute the ransomware, monitor the encryption process, and delete files upon completion—including Application, System, and Security event logs, according to the advisory.
Read the advisory for indicators of compromise, and recommended mitigations.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!