Towards the end of 2022, researchers at SOCRadar recognized a relatively new cyber gang, Royal, as the most active ransomware threat. Attacks linked to Royal Ransomware have impacted a diverse pool of victims across many geographical regions and multiple industrial sectors, including healthcare and public healthcare , education, communications, and manufacturing, among others. Recently, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) released their second joint advisory focused on Royal. Due to increasing activity and the complexity seen in attacks, organizations must place added emphasis on understanding the threat presented by Royal Ransomware.
Over the next few weeks, the NetWitness Threat Research team will be doing a deep dive into the threat actor group. For our first blog post in the series, we will provide an overview of the group/ransomware and touch on some of the key TTPs associated with this cyber gang. In Part 2, we will use NetWitness to analyze several samples of Royal Ransomware and highlight detection opportunities using the platform.
Background and History
Royal Ransomware campaigns began in earnest in September 2022, although there is evidence of the group’s activity dating back as early as January 2022. There are two versions of the malware that have been spotted in attacks. The initial Royal Ransomware payloads were 64 bit Win32 executables written in C++(i). Recently, Royal Ransomware added a Linux encryptor targeting VMware ESXi virtual machines(ii). Artifacts discovered during post breach analysis, including use of specific encryptors and the form of previous ransom notes, suggest the Royal membership may be comprised of individuals with ties to the old Conti ransomware group(iii). The Royal Ransomware operators appear to be an unaffiliated financially motivated group, with ransom payment demands in the tens of millions USD.
Adding to their bona fides as a highly skilled cyber-crime operation, the Royal Ransomware group does not make use of the Ransomware-as-a-Service model, in which affiliates pay to distribute ransomware developed and maintained by another group. Instead, Royal functions as an independent group displaying a proficiency in targeting and penetrating large corporate environments without the use of Initial Access Brokers(i) (There are some indications that tracked group DEV-0569 has purchased access to networks to deliver Royal Ransomware(iv)). In most Royal Ransomware attacks, access was gained using callback phishing, a social-engineering technique where victims contact a phone number included in an email and, after direct interaction with the attacker, are ultimately convinced to install malware masquerading as legitimate software. Other methods used to drop Royal Ransomware on victim systems include exploiting vulnerabilities on public facing applications, weaponizing business contact forms to spam companies with malicious links, placing bogus install files on popular file download sites, and, increasingly, malvertising via Google Ads.
Prior to encryption, the Royal Ransomware gang exfiltrates sensitive data from victim networks. It then uses the potential release of this information to entice companies to pay the ransom (a technique called double extortion). To put additional pressure on its' targets, the Royal group will drum up media coverage by using compromised Twitter accounts to contact journalists and news organizations and alert them to newly successful attacks.
In the News
Nov-2022: Royal Ransomware operators posted evidence of breaching Silverstone Circuit, an English motor racing circuit and home of Formula One's British Grand Prix, to its leak site(v).
Dec-2022: In Travis County, Texas, the Travis County Appraisal District, responsible for assessing the appraisal values of all property in the county, attributed a successful ransomware attack to the Royal Ransomware threat group(vi). The attack shut down phone lines, email access, and network connectivity for multiple days.
Dec-2022: American telecommunications company Intrado was added to the Royal Ransomware threat actors leak site(vii). The post alluded to the gang taking "internal documents \ passports \ employee driver's licenses" from Intrado's network. It is believed that the ransomware was responsible for a large outage in early December.
As discussed earlier, Royal Ransom group employs an assortment of methods to obtain initial access to target infrastructure. To begin its infection chain, Royal Ransomware accepts the following command line arguments(viii):
-id: A 32-character alphanumeric value used to identify the compromised host. This argument is required and if omitted, prevents the ransomware from running.
-path: Allows the operator to specify a path to be encrypted. This argument is not required when initiating the malware.
-ep: A number from between 0 and 100 representing the percentage of the file to be encrypted. If not specified, Royal will default to 50% encryption for files larger than 5.245 MB (Files smaller than 5.245 MB will be 100% encrypted). This argument is also optional and not required for successful execution.
Royal Ransomware operators use numerous legit open-source tools and Windows utilities to further entrench themselves in victim networks. The group has been observed using remote management software like AnyDesk and Atera Agent to maintain persistence(ix). PowerSploit, a penetration testing framework made up of Powershell modules, allows Royal Ransomware threat actors to gain Administrator rights. Royal actors can achieve lateral movement via Microsoft Sysinternals' PsExec tool or discovered RDP credentials. The group can use NirCMD to stealthily run CMD commands directly on hosts machines. To discover domain members/groups, available network shares, and identify other network systems, Royal Ransomware attacks have utilized ADFind and Netscan from compromised domain controllers. As mentioned in the FBI/CISA Joint Cybersecurity Advisory, Royal operators have also used an SSH secured HTTP tunneling tool named Chisel to conduct C2 communication.
In addition to open-source tooling, groups distributing Royal have packaged the ransomware with other prominent malware families. In a few attacks, BATLOADER was used as the delivery mechanism Royal Ransomware payload(x). The FBI has seen Ursnif/Gozi used to facilitate data exfiltration during Royal Ransomware attacks. Qakbot has also been found on systems preceding Royal ransom infections(xi).
Prior to encrypting files and drives, Royal Ransomware takes several actions to hamper system defenses. If any encryption target files are in use by other processes, Royal will use Windows RestartManager to stop the desired applications/services. As is standard amongst many ransomware families, Royal attempts to prevent system recovery by using vssadmin Windows utility to silently delete all the available shadow copies. The malware can also disable antivirus using the system management tool Nsudo(xii).
Once the environment is staged and data has been retrieved, Royal Ransomware begins encryption. Royal uses multi-threaded encryption, a technique where the malicious payload accelerates time to encryption by launching multiple child processes(iv). This technique also makes stopping an ongoing ransomware attack more difficult. Earlier versions of Royal Ransomware borrowed its encryptors from BlackCat Ransomware. Over time, the threat group developed their own encryptor, Zeon, using the OpenSSL AES algorithm. A public key hardcoded in the malicious binary is used to encrypt both the private key and Initialization Vector. All encrypted files are appended with '.royal' and a copy of the ransom note 'README.TXT' is placed in every directory containing encrypted data. The Royal ransom note, somewhat uniquely, does not contain any ransom demands, instead directing the victims to a TOR hosted chat application interface for further instructions.
Royal Ransomware's Linux variant seems to be early in its development. There are certain key differences from the Win32 version. For the Linux based version of Royal Ransomware targeting ESXi servers, the launch arguments are slightly different. While the -id argument is still required and the -ep can still be used to specify encryption percentage, the -path argument has been replaced by 4 other optional arguments(xiii): -stopvm terminates VMs running on the target system with ESXCLI tool, -fork tells the ransomware to fork itself and move processing to the newly created child process, -log shows the logs of encrypted files, and a presently unimplemented -vmonly option. The Linux variant must still be executed from the command line; however the attacker must specify a target folder to ensure full encryption. Linux Royal does not set an exclusion list before encryption, but a searching function does exist as the malware recursively works its way through target directories preventing "double encryption,", or encryption of some core VM files ('.sf', '.v00', and '.b00' extensions), encryption of the log file generated by the -log command line argument, and encryption of the ransom note. Based on Fortinet's analysis of a Linux based sample, this may indicate the "ransomware is executed either manually or by a dropper program that specifies which folders should be encrypted". Instead of '.royal' extension being appended to encrypted files, '.royal_u' ('u' potentially designates a Unix system) postfix is used.
The Royal Ransomware group seems well suited to continue growing its list of victims for the foreseeable future. With several approaches to gain access to victim systems, employment of various anti-analysis and defense evasion tactics, ability to deliver and use different open-source tooling, and their usage of partial encryption via a proprietary encryptor, Royal operators can adapt attacks to get around even the best cyber defenses. The NetWitness Threat Research team’s investigation into this threat is ongoing and we will continue monitoring for any new developments. In the meantime, several pieces of content are currently available in NetWitness Live related to Royal Ransomware operations: