Cybersecurity Snapshots #38 - Royal Ransomware

Cybersecurity Snapshots #38 -

Royal Ransomware

Royal ransomware emerged in January 2022. Microsoft initially attributed the distribution of Royal ransomware to DEV-0569. Now researchers are stating that the threat actors behind Royal ransomware have officially branded themselves with the name Royal. The threat group is primarily focused on targeting entities within the United States. Researchers noted that the ransomware operation uses unusual techniques to breach networks before encrypting them with malware and demanding ransom payments. Some Royal ransomware campaigns distribute the malware via malicious attachments, and some distribute the malware via malicious advertisements. Researchers stated that although Royal is a newer ransomware operation, they believe that the threat actors behind it are very experienced due to evidence of previously seen tactics and techniques.

Initially, Royal used BlackCat's encryptor, but then transitioned to using their own Zeon encryptor. Since Royal emerged, the ransomware operators have evolved their delivery methods to include using Google Ads in a campaign to blend in with normal ad traffic, making malicious downloads appear authentic by hosting fake installer files on legitimate looking software download sites, and using contact forms located on an organization's website to distribute phishing links. The above methods have allowed the ransomware operators to reach a greater number of targets and achieve their goal of deploying various post-compromise payloads. Microsoft stated that Royal uses signed binaries and delivers encrypted malware payloads relying heavily on defense evasion techniques. The group has also continued to use Nsudo, an open-source tool, to try and disable antivirus solutions.

When Royal uses malicious links delivered to their targets to obtain initial access, the links are embedded in advertisements, fake forum pages, phishing emails, and blog comments. After the victim clicks, the links lead them to malicious files signed by Royal using a legitimate certificate. The malicious files masquerade as installers or updates for applications such as Zoom or Microsoft teams. Researchers noted that the victim does not know that the files are malware downloaders known as BATLOADER. When legitimate applications are launched, BATLOADER uses MSI Custom Actions to launch malicious PowerShell activity. BATLOADER also uses the MSI Custom Actions to run batch scripts that attempt to disable security solutions, leading to the delivery of various encrypted malware payloads. Researchers observed Royal using BATLOADER hosted on attacker-created domains masquerading as software download sites, such as anydeskos.com, and on legitimate repositories, such as OneDrive and GitHub, between August and October 2022.

In addition to using installer files, Royal uses file formats such as Virtual Hard Disk (VHD) to impersonate legitimate software for first-stage payloads. The threat actor also uses various infection chains that use PowerShell and batch scripts, ultimately leading to the download of malware payloads such as a legitimate remote management tool used for persistence on the network. The management tool also acts as an access point for the staging and spreading of ransomware. By late October 2022, researchers observed Royal using malicious Google Ads to deliver BATLOADER in what researchers are calling a malvertising campaign. The Google Ads pointed to the legitimate Traffic Distribution System (TDS) Keitaro. According to Microsoft, Keitaro provides capabilities to customize advertising campaigns via tracking and ad traffic and user or device-based filtering. The researchers noted that the TDS redirects the victim to a legitimate download site or to a malicious BATLOADER download site. By using Keitaro, Royal can filter traffic and avoid IP ranges of known security sandboxing solutions.

The group's phishing attacks include callback phishing, where they impersonate food delivery and software providers in emails that look like subscription renewals. Researchers noted that the phishing emails contain phone numbers the victim must contact to cancel the "subscription." Once the victim calls the number, they speak to threat actors who use social engineering to convince the victim to install remote access software. This remote access software is used to gain initial access to corporate networks.

Royal is not a ransomware-as-a-service (RaaS) operation with affiliates. Instead, they work with vetted team members. The group is relatively low-key and does not promote its attacks as some other groups do. Their ransom note is named README.TXT and contains a link to a private Tor negotiation page unique to each victim. The negotiation page consists of a chat screen for communication with Royal ransomware operators. Researchers noted that the group will decrypt a few files during negotiation to prove their decryptor works. They will also share file lists of stolen data at times. Their victim site is hosted on the Tor network and includes the victim's name, a link to their website, and a company profile. They will also post samples of exfiltrated files at the start of negotiations with links to the entire data set if negotiations fail.

In September 2022, the operators behind Royal ransomware began ramping up their malicious activities. In November 2022, Royal took responsibility for a ransomware attack on one of the United Kingdom's most popular racing circuits Silverstone Circuit. The attack held up dozens of Formula One races and motorcycle events. Security researcher Brett Callow at Emisoft stated that, unlike current ransomware groups, Royal uses multiple ransomware types and uses the .Royal extension for encrypted files rather than using randomly generated extensions. In December 2022, Royal conducted a ransomware attack on the Travis Central Appraisal District. The agency provides appraisal values for properties. As a result of the attack, the agency's servers, website, and email were shut down for more than two weeks.However, because the agency diversified where its information was stored, it was able to continue operations. Also, in December 2022, the Department of Health and Human Services Cybersecurity Coordination Center (HC3) warned that Royal based ransomware attacks were steadily increasing. HC3 noted that ransom demands from Royal ranged from $250,000 to more than $2 million. HC3 also stated that Royal should be considered a threat to the health and public health sectors due to the ransomware group victimizing the healthcare community.

Security researchers warn that organizations should keep an eye out for this group, as they are quickly ramping up operations and will likely become one of the more significant enterprise-targeting ransomware operations in 2023.