"Royal Ransomware Gang Quickly Expands Reign"

The Royal ransomware group has become more active this year, targeting critical infrastructure organizations with various tools. Based on the group's leak site, Palo Alto Networks' Unit 42 reports that it has affected 157 organizations since its inception last year. Royal ransomware has affected different industries, including both small and large businesses. According to information from their leak site and public reporting agencies, the Royal ransomware has impacted manufacturing and more. The group has been observed using multiple initial access vectors, including callback phishing, Search Engine Optimization (SEO) poisoning, exposed Remote Desktop Protocol (RDP) accounts, and compromised credentials, to gain access to vulnerable systems. After securing access, the group uses multiple tools to support the intrusion operation, such as the TCP/UDP tunnel Chisel and the Active Directory query tool AdFind. Royal has compromised victims via a BATLOADER infection. BATLOADER will download additional payloads, such as VidarStealer, Ursnif/ISFB, and Redline Stealer, as well as legitimate system management and Remote Monitoring and Management (RMM) tools. Researchers have observed Royal operators using PowerTool, a piece of software with access to the kernel that is ideal for removing endpoint security software. This article continues to discuss researchers' findings and observations regarding the Royal ransomware gang. 

SC Media reports "Royal Ransomware Gang Quickly Expands Reign"