The Royal ransomware gang appears to be gearing up for a new spate of activity that potentially includes a rebrand or spinoff effort, as ransom demands by the fast-moving group since its initial activity in September 2022 have already exceeded $275 million, according to US federal authorities.
A joint advisory by the FBI and the CISA on Tuesday indicated that the ransomware group — which operates without affiliates and ruthlessly publishes the data that it extracts from victims — continues to evolve quickly.
In just the year since its inception, the group already has targeted more than 350 victims worldwide in an arbitrary way — without targeting specific regions or industries — demanding between $1 million and $12 million in ransom, the agencies said. Among its victims to date include organizations in critical infrastructure sectors including, manufacturing, communications, education, and healthcare; attacks on the last of which drew the attention of the US Department of Health and Human Services (HHS) security team.
Royal, which many researchers believe emerged from the ashes of the now-defunct Conti Group, may again be set to rebrand itself as Blacksuit, another ransomware that emerged mid-year and showed unique sophistication from its outset. This move may be due to increased scrutiny by federal authorities, not only the investigation by the HHS but also following a high-profile attack on the City of Dallas in May, officials said.
“Royal may be preparing for a re-branding effort and/or a spinoff variant,” according to the advisory. “Blacksuit ransomware shares a number of identified coding characteristics similar to Royal.”
New Insights on Royal Ransomware Operations
Overall, the recent federal guidance on Royal — an update to a March advisory by the agencies — sheds new light on the group’s operations as well as its potential next moves.
From its inception, Royal demonstrated a surefootedness and innovation that likely came from its previous affiliation with Conti. The group arrived on the ransomware scene armed with varied ways to deploy ransomware and evade detection so it can do significant damage before victims have a chance to respond, researchers said soon after the group’s detection.
The latest intelligence on Royal finds that the group is continuing to employ its original partial-encryption and double-extortion tactics. Analysts also said that by far its most successful mode of compromising a victim’s network is phishing; it has gained initial access to networks via phishing emails in 66.7% of cases, according to the agencies.
“According to open source reporting, victims have unknowingly installed malware that delivers Royal ransomware after receiving phishing emails containing malicious PDF documents and malvertising,” the agencies said.
The second most common mode of entry in 13.3% of victims was through Remote Desktop Protocol (RDP), and in some cases Royal exploited public-facing applications or leveraged brokers to gain initial access and source traffic by harvesting virtual private network (VPN) credentials from stealer logs, the agencies reported.
Once gaining access to a network, the group downloads multiple tools — including legitimate Windows software and Chisel, an open source tunneling tool — to strengthen the foothold in a network and communicate with command-and-control (C2), respectively. Royal also often uses RDP to move laterally across a network and taps remote monitoring and management (RMM) software such as AnyDesk, LogMeIn, and Atera for persistence.
Evolution of Partial Encryption
The unique partial encryption approach that Royal has used since its inception continues to be a key aspect of its operations, with the latest variant of the ransomware using its own custom-made file encryption program. Royal’s sophisticated partial encryption allows the threat actor to choose a specific percentage of data in a file to encrypt, thus lowering the encryption percentage for larger files and helping the group evade detection.
The group also continues to practice double extortion, exfiltrating data prior to encryption, and then threatening to publicly release encrypted victim data if its ransom demands aren’t met.
“After gaining access to victims’ networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems,” according to the advisory.
To achieve this exfiltration, the group repurposes legitimate cyber penetration testing tools such as Cobalt Strike, and malware tools and derivatives such as Ursnif/Gozi for data aggregation and exfiltration, sending the data initially to a US IP address, the agencies found.
Avoiding the ‘Royal Treatment’
The federal advisory includes a list of files, programs, and IP addresses associated with Royal ransomware attacks.
To avoid comprise by Royal or other ransomware groups, the FBI and CISA recommend that organizations prioritize remediating known exploited vulnerabilities to make it harder for attackers to exploit existing flaws in their networks.
Given that Royal’s most successful point of entry is through phishing, the feds also recommend employee training to spot and report phishing scams to avoid falling victim to them. Enabling and enforcing multifactor authentication across systems is also an essential defense tactic, according to the agencies.