Royal Ransomware
December 5, 2022
Royal has been in existence since at least the beginning of 2022, making it a relatively new business. The goal of the group and its software is standard: infiltrate the environment of a victim, encrypt their data, and demand a ransom to decrypt any files impacted.
Background
In its ransom note, the organization makes it clear that it intends to use the “double extortion” strategy of threatening to reveal data obtained from the victim in addition to encrypting the victim’s data until a ransom is paid.Analysis
- Delivery Mechanism: The Royal gang employs targeted callback phishing assaults, posing as software and food delivery companies in emails that appear to be subscription renewals. These phishing emails include phone numbers that the target can call to cancel the fictitious subscription. Still, in reality, these numbers belong to a service that the threat actors have contracted. As soon as a victim dials the number, the threat actors utilize social engineering to persuade the victim to install remote access software, which is then used to acquire initial access to the corporate network.
- Lateral Movement: Threat actors are inventive in how they access networks, as evidenced by how they break into their network by utilizing a vulnerability in a custom web application.
- Execution: The threat actors carry out the same operations that other human-operated ransomware operations do once they have gained access to a network. Then, after spreading laterally via the Windows domain and stealing data, they deploy Cobalt Strike for persistence, collect passwords, and encrypt the machines with the Royal Ransomware.
- Encryption technique: Royal seems to encrypt files with the AES standard using the OpenSSL library and the encryptor will add the .royal extension to the file names of encrypted files after encryption. They directly encrypt the virtual disc files of the targeted virtual machines (VMDK). The ransom notes are then printed on network printers or generated on Windows machines that have been encrypted by the threat actors.