Royal (cyber gang)
From Wikipedia, the free encyclopedia
| Formation | 2022 |
|---|---|
| Type | Hacking |
| Purpose | Money |
Royal is a cybercriminal ransomware organization known for its aggressive targeting, its high ransom demands, and its use of double extortion (where compromised data is not only encrypted, but also exfiltrated). Royal does not use affiliates. Formed in 2022, it was renamed Blacksuit in 2024.[1]
Royal has targeted a wide range of industries, including healthcare, finance, and critical infrastructure. Ransom demands by the group range have typically ranged from $1 million to $10 million in Bitcoin.[1]
Targets and negotiations
The group behind Royal ransomware is an experienced and skilled group that employs a combination of old and new techniques. They use callback phishing to trick victims into downloading remote desktop malware, which enables the threat actors to easily infiltrate the victim's machine. Royal is reportedly a private group without any affiliates.[2]
Royal ransomware employs a unique approach to encryption allowing the threat actor to selectively encrypt a specific percentage of data within a file. By doing so, the actor can lower the encryption percentage for larger files, making it harder to detect their malicious activities. In addition to encrypting files, Royal actors also employ a double extortion tactic : they threaten to publicly release the encrypted data unless the victim pays the ransom demanded.[3] Additionally, they employ intermittent encryption to speed up the encryption process of victim's files while avoiding detection from systems that monitor heavy file IO operations.[2]
In addition to making headlines, the Royal ransomware group has demonstrated an ability to adapt quickly to new tactics. They have developed Linux-based variants and expanded their targets to include ESXi servers, which can have a significant impact on victimized enterprise data centers and virtualized storage.[2]
According to Trend Micro's data, the United States has been the primary target of Royal ransomware, Brazil follows. Most of the victim organizations affected by Royal ransomware were small to medium-sized businesses, with only a small portion being large enterprises.[2]
According to a CISA, Royal ransomware attacks have targeted various critical infrastructure sectors, including chemicals, communications, critical manufacturing, dams, defense industrial bases, financial services, emergency services, healthcare, nuclear reactors, waste, and materials sectors.[3][2] As of August 2024, the group has demanded ransom payments totaling about $500 million.[1]
Ransom negotiations and data leaks occur on the dark web, at an onion site in the Tor network.[1][4]
Tactics and indicators of compromise
In 2023, the United States Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) jointly issued an advisory providing information on Royal ransomware's tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations defend against such attacks.[3][2]
To gain initial access to victim networks, Royal actors use various methods. One common method is through phishing emails, which account for about 66.7% of incidents. Victims unknowingly install malware that delivers Royal ransomware after clicking on links or opening malicious PDF documents in these phishing emails. Another method is compromising Remote Desktop Protocol (RDP), which accounts for 13.3% of incidents. Royal actors also exploit vulnerabilities in public-facing applications to gain initial access. There are reports suggesting that Royal actors may also leverage brokers to obtain access by harvesting VPN credentials from stolen logs.[3]
Once inside the network, Royal actors communicate with a command and control (C2) infrastructure and download multiple tools to strengthen their presence. They often repurpose legitimate Windows software to further secure their position within the victim's network. Royal actors have been observed using Chisel, a tunneling tool transported over HTTP and secured via SSH, to communicate with their C2 infrastructure. While multiple Qakbot C2s have been detected in Royal ransomware attacks, it is yet to be determined if Royal ransomware exclusively employs them.[3]
To move laterally across the network, Royal actors frequently use RDP. They have also been known to use Microsoft Sysinternals tool PsExec for this purpose. In some instances, they exploit remote monitoring and management (RMM) software like AnyDesk, LogMeIn, and Atera for persistence within the victim's network. These actors have even escalated their access to the domain controller, where they deactivate antivirus protocols by modifying Group Policy Objects.[3]
During exfiltration, Royal actors repurpose legitimate cyber pentesting tools such as Cobalt Strike, as well as malware tools like Ursnif/Gozi, to aggregate and exfiltrate data from victim networks. It has been noted that their initial hop in exfiltration and other operations often involves a U.S. IP address. Notably, a tool repository used by Royal was identified at IP: 94.232.41[.]105 in December 2022, which included Cobalt Strike.[3]
Before initiating the encryption process, Royal actors employ certain techniques. They use the Windows Restart Manager to check if targeted files are in use or blocked by other applications. Additionally, they use the Windows Volume Shadow Copy service (vssadmin.exe) to delete shadow copies, preventing system recovery. The FBI has discovered numerous batch (.bat) files on impacted systems, typically transferred as an encrypted 7zip file. These batch files create a new admin user, force a group policy update, set relevant registry keys to auto-extract, execute the ransomware, monitor the encryption process, and ultimately delete files upon completion, including Application, System, and Security event logs.[3]