In our new threat briefing report, Forescout’s Vedere Labs analyzes the Royal ransomware threat actor group and encryptor payload, presents threat hunt opportunities for network defenders and shares details of the group’s tactics, techniques, and procedures (TTPs).
Who is Royal ransomware?
The Royal ransomware threat actor group, initially tracked as DEV-0569, first emerged in early 2022 and has been especially active since the end of the same year. Royal ransomware was first observed by security researchers in September 2022 and since then multiple attacks were detected, targeting organizations across the globe, but mostly in the U.S., Brazil and Europe. It was among the most active ransomware groups in December 2022 and has already announced its first victim of 2023: DSBJ, a Chinese company that manufactures components for Internet of Things (IoT) and telecommunications equipment.
Security researchers have noticed that the group was probably created by one of the former Conti teams (“Conti Team One”) and used the Zeon encryptor in some attacks.
Royal ransomware tactics, techniques and procedures
The group employs the double extortion tactic by gaining access to a victim’s environment, encrypting their data, exfiltrating sensitive data and demanding a ransom to decrypt files. The files are encrypted using the Advanced Encryption Standard (AES) and given the extension .royal. In recent attacks, the encrypted files also had the extension .royal_*.
The initial attack vectors are specifically designed and tailored for individual targets. They include:
- Initial infection techniques such as malicious advertisements, phishing links that point to a malware payload, fake software installers and fake forum pages to lure potential victims.
- Callback phishing, which entails impersonating various service providers and software providers in emails that look like subscription renewals. The phishing emails contain phone numbers that the victim should contact to cancel their subscription. Upon calling the number, the threat actors convince the victim to install remote access software, which serves as initial access to the target network.
In a recent campaign, Royal ransomware actors used a compiled remote desktop malware to drop the tools that were later used to infiltrate the victim’s system. In some instances, they used QakBot and Cobalt Strike for lateral movement and NetScan to look for any network-connected systems. Once they infiltrated the system, the threat actors used tools like Nsudo, PowerTool and Process Hacker to disable any security-related services running in the system. They used PsExec to execute the malware and spread it to other machines in the network. The group also relies heavily on defense evasion techniques such as using encrypted binaries and disabling antivirus solutions.
The table below summarizes the TTPs commonly used by Royal ransomware.
Royal ransomware mitigation and threat hunting opportunities
Common ransomware mitigation recommendations apply to Royal ransomware. They include identifying and patching vulnerable devices in the network, segmenting the network to avoid spreading the infection and monitoring network traffic to detect signs of intrusion, lateral movement and payload execution. These recommendations are detailed on CISA’s Stop Ransomware project page, especially their ransomware guide.
Additionally, since the group relies heavily on phishing for initial access, individuals should pay special attention to potentially malicious e-mails, advertisements and websites. CISA’s recently released Phishing Infographic is a useful resource for defenders, aligned to their cross-sector cybersecurity performance goals (CPGs).
Finally, hunting for the presence of the threat actor and payload on the network can help stop an ongoing incident before its full impact. The following threat hunting opportunities are based on the detailed analysis provided in our full technical report:
- PsExec Service Installation: event_id = 7045 OR 7036 && service_name contains “psexesvc”
- PsExec Remote Command Execution: process _process_name = psexesvc.exe && process _name = cmd.exe
- Shadow Copy Deletion: process _name = vssadmin.exe && Commadline contains “delete*shadows”
- Local Admin Account Created Using Net.exe: process_name = net.exe OR net1.exe && Commadline contains “* administr* /add*”