This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
      • Netwitness XDR
      • EC-Council Training
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
    • Role-Based Training
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • NetWitness Community
  • Blog
  • Threat Profile Series: An Introduction to Royal Ransomware

Threat Profile Series: An Introduction to Royal Ransomware

DarrenMccutchen
Frequent Contributor DarrenMccutchen Frequent Contributor
Frequent Contributor
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Printer Friendly Page
  • Report Inappropriate Content
Tuesday

Towards the end of 2022, researchers at SOCRadar recognized a relatively new cyber gang, Royal, as the most active ransomware threat. Attacks linked to Royal Ransomware have impacted a diverse pool of victims across many geographical regions and multiple industrial sectors, including healthcare and public healthcare , education, communications, and manufacturing, among others. Recently, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) released their second joint advisory focused on Royal. Due to increasing activity and the complexity seen in attacks, organizations must place added emphasis on understanding the threat presented by Royal Ransomware.

 

Over the next few weeks, the NetWitness Threat Research team will be doing a deep dive into the threat actor group. For our first blog post in the series, we will provide an overview of the group/ransomware and touch on some of the key TTPs associated with this cyber gang. In Part 2, we will use NetWitness to analyze several samples of Royal Ransomware and highlight detection opportunities using the platform.

 

Background and History

 

Royal Ransomware campaigns began in earnest in September 2022, although there is evidence of the group’s activity dating back as early as January 2022. There are two versions of the malware that have been spotted in attacks. The initial Royal Ransomware payloads were 64 bit Win32 executables written in C++(i). Recently, Royal Ransomware added a Linux encryptor targeting VMware ESXi virtual machines(ii). Artifacts discovered during post breach analysis, including use of specific encryptors and the form of previous ransom notes, suggest the Royal membership may be comprised of individuals with ties to the old Conti ransomware group(iii). The Royal Ransomware operators appear to be an unaffiliated financially motivated group, with ransom payment demands in the tens of millions USD.

 

Adding to their bona fides as a highly skilled cyber-crime operation, the Royal Ransomware group does not make use of the Ransomware-as-a-Service model, in which affiliates pay to distribute ransomware developed and maintained by another group. Instead, Royal functions as an independent group displaying a proficiency in targeting and penetrating large corporate environments without the use of Initial Access Brokers(i) (There are some indications that tracked group DEV-0569 has purchased access to networks to deliver Royal Ransomware(iv)). In most Royal Ransomware attacks, access was gained using callback phishing, a social-engineering technique where victims contact a phone number included in an email and, after direct interaction with the attacker, are ultimately convinced to install malware masquerading as legitimate software. Other methods used to drop Royal Ransomware on victim systems include exploiting vulnerabilities on public facing applications, weaponizing business contact forms to spam companies with malicious links, placing bogus install files on popular file download sites, and, increasingly, malvertising via Google Ads.

 

Prior to encryption, the Royal Ransomware gang exfiltrates sensitive data from victim networks. It then uses the potential release of this information to entice companies to pay the ransom (a technique called double extortion). To put additional pressure on its' targets, the Royal group will drum up media coverage by using compromised Twitter accounts to contact journalists and news organizations and alert them to newly successful attacks.

 

In the News

 

  • Nov-2022: Royal Ransomware operators posted evidence of breaching Silverstone Circuit, an English motor racing circuit and home of Formula One's British Grand Prix, to its leak site(v).
  • Dec-2022: In Travis County, Texas, the Travis County Appraisal District, responsible for assessing the appraisal values of all property in the county, attributed a successful ransomware attack to the Royal Ransomware threat group(vi). The attack shut down phone lines, email access, and network connectivity for multiple days.
  • Dec-2022: American telecommunications company Intrado was added to the Royal Ransomware threat actors leak site(vii). The post alluded to the gang taking "internal documents \ passports \ employee driver's licenses" from Intrado's network. It is believed that the ransomware was responsible for a large outage in early December.

 

Technical Summary

 

Windows Variant

 

As discussed earlier, Royal Ransom group employs an assortment of methods to obtain initial access to target infrastructure. To begin its infection chain, Royal Ransomware accepts the following command line arguments(viii):

 

-id: A 32-character alphanumeric value used to identify the compromised host. This argument is required and if omitted, prevents the ransomware from running.

 

-path: Allows the operator to specify a path to be encrypted. This argument is not required when initiating the malware.

 

-ep: A number from between 0 and 100 representing the percentage of the file to be encrypted. If not specified, Royal will default to 50% encryption for files larger than 5.245 MB (Files smaller than 5.245 MB will be 100% encrypted). This argument is also optional and not required for successful execution.

 

Royal Ransomware operators use numerous legit open-source tools and Windows utilities to further entrench themselves in victim networks. The group has been observed using remote management software like AnyDesk and Atera Agent to maintain persistence(ix). PowerSploit, a penetration testing framework made up of Powershell modules, allows Royal Ransomware threat actors to gain Administrator rights. Royal actors can achieve lateral movement via Microsoft Sysinternals' PsExec tool or discovered RDP credentials. The group can use NirCMD to stealthily run CMD commands directly on hosts machines. To discover domain members/groups, available network shares, and identify other network systems, Royal Ransomware attacks have utilized ADFind and Netscan from compromised domain controllers. As mentioned in the FBI/CISA Joint Cybersecurity Advisory, Royal operators have also used an SSH secured HTTP tunneling tool named Chisel to conduct C2 communication.

 

In addition to open-source tooling, groups distributing Royal have packaged the ransomware with other prominent malware families. In a few attacks, BATLOADER was used as the delivery mechanism Royal Ransomware payload(x). The FBI has seen Ursnif/Gozi used to facilitate data exfiltration during Royal Ransomware attacks. Qakbot has also been found on systems preceding Royal ransom infections(xi).

 

Prior to encrypting files and drives, Royal Ransomware takes several actions to hamper system defenses. If any encryption target files are in use by other processes, Royal will use Windows RestartManager to stop the desired applications/services. As is standard amongst many ransomware families, Royal attempts to prevent system recovery by using vssadmin Windows utility to silently delete all the available shadow copies. The malware can also disable antivirus using the system management tool Nsudo(xii).

 

Once the environment is staged and data has been retrieved, Royal Ransomware begins encryption. Royal uses multi-threaded encryption, a technique where the malicious payload accelerates time to encryption by launching multiple child processes(iv). This technique also makes stopping an ongoing ransomware attack more difficult. Earlier versions of Royal Ransomware borrowed its encryptors from BlackCat Ransomware. Over time, the threat group developed their own encryptor, Zeon, using the OpenSSL AES algorithm. A public key hardcoded in the malicious binary is used to encrypt both the private key and Initialization Vector. All encrypted files are appended with '.royal' and a copy of the ransom note 'README.TXT' is placed in every directory containing encrypted data. The Royal ransom note, somewhat uniquely, does not contain any ransom demands, instead directing the victims to a TOR hosted chat application interface for further instructions.

 

Linux Variant

 

Royal Ransomware's Linux variant seems to be early in its development. There are certain key differences from the Win32 version. For the Linux based version of Royal Ransomware targeting ESXi servers, the launch arguments are slightly different. While the -id argument is still required and the -ep can still be used to specify encryption percentage, the -path argument has been replaced by 4 other optional arguments(xiii): -stopvm terminates VMs running on the target system with ESXCLI tool, -fork tells the ransomware to fork itself and move processing to the newly created child process, -log shows the logs of encrypted files, and a presently unimplemented -vmonly option. The Linux variant must still be executed from the command line; however the attacker must specify a target folder to ensure full encryption. Linux Royal does not set an exclusion list before encryption, but a searching function does exist as the malware recursively works its way through target directories preventing "double encryption,", or encryption of some core VM files ('.sf', '.v00', and '.b00' extensions), encryption of the log file generated by the -log command line argument, and encryption of the ransom note. Based on Fortinet's analysis of a Linux based sample, this may indicate the "ransomware is executed either manually or by a dropper program that specifies which folders should be encrypted". Instead of '.royal' extension being appended to encrypted files, '.royal_u' ('u' potentially designates a Unix system) postfix is used.

 

Conclusion

 

The Royal Ransomware group seems well suited to continue growing its list of victims for the foreseeable future. With several approaches to gain access to victim systems, employment of various anti-analysis and defense evasion tactics, ability to deliver and use different open-source tooling, and their usage of partial encryption via a proprietary encryptor, Royal operators can adapt attacks to get around even the best cyber defenses. The NetWitness Threat Research team’s investigation into this threat is ongoing and we will continue monitoring for any new developments. In the meantime, several pieces of content are currently available in NetWitness Live related to Royal Ransomware operations:

 

Logs:

  • Nircmd for Command Execution (Logs)
  • Scheduled Tasks via schtasks.exe (Logs)
  • Stop/Kill Multiple Processes - NET.exe (Logs)
  • Stop/Kill Multiple Processes - SC.exe (Logs)
  • Stop/Kill Multiple Processes - TASKKILL.exe (Logs)

Endpoint:

  • Deletes shadow volume copies
  • Nircmd for Command Execution (Endpoint)
  • NSudo Trusted Installer from Command Line
  • Royal Ransomware Launch Arguments
  • Scheduled Tasks via schtasks.exe (Endpoint)
  • Stop/Kill Multiple Processes - NET.exe (Endpoint)
  • Stop/Kill Multiple Processes - SC.exe (Endpoint)
  • Stop/Kill Multiple Processes - TASKKILL.exe (Endpoint)

In upcoming weeks, please be on the lookout for our follow-up Royal Ransomware post where we’ll investigate an attack with NetWitness.

 

MITRE

 

Technique Name Technique Name
T1190 Exploit Public Facing Application

T1083

File and Directory Discovery
T1566 Phishing T1057 Process Discovery

T1133

External Remote Services T1135 Network Share Discovery
T1105 Ingress Tool Transfer T1021.001 Remote Desktop Protocol
T1059 Command and Scripting Interpreter T1572 Protocol Tunneling
T1053.005 Scheduled Task T1486 Data Encrypted for Impact
T1569.002 Service Execution T1490 Inhibit System Recovery
T1562.001 Disable or Modify Tools T1489 Service Stop

 

References

(i) - https://www.hhs.gov/sites/default/files/royal-ransomware-analyst-note.pdf  

(ii) - https://twitter.com/BushidoToken/status/1621087221905514496?cxt=HHwWgIDTuamPof8sAAAA 

(iii) - https://twitter.com/VK_Intel/status/1557003350541242369 

(iv) - https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/royal-ransomware 

(v) - https://cybernews.com/news/silverstone-formula-one-ransomware/ 

(vi) - https://www.statesman.com/story/news/2022/12/05/travis-county-tx-home-appraisals-ransomware-attack/69703419007/ 

(vii) - https://www.bleepingcomputer.com/news/security/royal-ransomware-claims-attack-on-intrado-telecom-provider/ 

(viii) - https://www.cybereason.com/blog/royal-ransomware-analysis 

(ix) - https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive 

(x) - https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/ 

(xi) - https://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html 

(xii) - https://blog.polyswarm.io/royal-ransomware 

(xiii) - https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html  

 

 

  • DEV-0569
  • MITRE ATT&CK
  • ransomware
  • Royal Ransomware
  • threat detection
  • threat research
3 Likes
Share

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Latest Articles
  • File Activity Alert Optimization in Multi-EPS Deployment
  • Threat Profile Series: An Introduction to Royal Ransomware
  • FirstWatch Threat Spotlight: APT-C-36
  • Integration of OPSWAT MetaAccess with Netwitness
  • DCSync Detection with NetWitness
  • FirstWatch Threat Spotlight: Brute Ratel C4
  • Hunting Misconfigured Web Applications
  • Examining APT27 and the HyperBro RAT
  • FirstWatch Threat Spotlight: DarkTortilla
  • Sliver C2 – Network and Endpoint Detection with NetWitness Platform
Labels
  • Announcements 59
  • Events 4
  • Features 10
  • Integrations 8
  • Resources 62
  • Tutorials 26
  • Use Cases 24
  • Videos 116
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.