The US Cybersecurity and Infrastructure Security Agency (CISA) has released a new advisory regarding Royal ransomware, which emerged in the threat landscape last year.
“After gaining access to the victim’s network, Royal attackers disable antivirus software and exfiltrate large amounts of data before finally deploying ransomware to encrypt the system,” CISA said. increase.
A custom ransomware program that has been targeting US and international organizations since September 2022 is believed to have evolved from an earlier iteration called Zeon.
Additionally, it is said to be operated by experienced attackers who were part of Conti Team One, as revealed by cybersecurity firm Trend Micro in December 2022.
Ransomware groups employ callback phishing as a means of delivering ransomware to victims. It’s a technique widely employed by criminal groups that split from Conti Enterprises after its shutdown last year.
Other modes of initial access include Remote Desktop Protocol (RDP), using published applications, and via an Initial Access Broker (IAB).
Ransom demands by Royal range from $1 million to $11 million, with attacks targeting a variety of critical sectors including telecommunications, education, healthcare, and manufacturing.
“Royal ransomware uses a unique partial encryption approach that allows attackers to choose a specific percentage of data within a file to be encrypted,” said CISA. “This approach allows attackers to reduce the encryption rate of large files, which helps evade detection.”
Cybersecurity agencies say multiple command-and-control (C2) servers associated with Qakbot are being used to infiltrate Royal ransomware, but it is currently unclear whether the malware relies solely on Qakbot infrastructure. is.
Intrusion features use Cobalt Strike and PsExec to perform lateral movement and delete shadow copies to prevent system recovery. Cobalt Strike has also been repurposed for data aggregation and extraction.
As of February 2023, Royal ransomware can target both Windows and Linux environments. It has been associated with 19 attacks in January 2023 alone, lagging behind LockBit, ALPHV and Vice Society.
