![]() Royal ransomware has impacted a variety of industries, including small businesses and large corporations alike. Once access is secured, this group uses multiple tools to support the intrusion operation, like the TCP/UDP tunnel Chisel and the Active Directory query tool AdFind, among others. Exposed remote desktop protocol (RDP) accounts.This particular ransomware group has been observed using multiple initial access vectors to secure access into vulnerable systems, such as the following: Royal Twitter account replying to an alert. It’s clear that this group is trying to get attention from multiple organizations through any means necessary. It’s not unusual to see threat actor groups create social media accounts to keep spreading their brand and announcements. In some cases, the threat actor will also reply to those same announcements. The Royal ransomware threat actor has an active Twitter account that was created in October 2022, called “LockerRoyal.” Most of the account content is announcements of compromised victims, tagging the victim’s Twitter account. The Royal group will harass victims until the payment is secured, using techniques such as emailing victims and mass-printing ransom notes. This group has leveraged their leak site to publicly extort victims into paying the ransom, as shown in Figure 1. In fact, in just the first few days of May 2023, the group had already impacted four educational institutions. We observed that they impacted 14 organizations in the education sector, including school districts and universities. Royal also has been one of the ransomware groups disrupting the education industry. Department of Health and Human Services issued a warning about the threat Royal ransomware poses to the healthcare sector in January 2023. They have also impacted eight healthcare organizations since their inception. In a few months in 2022, the group impacted 14 manufacturing organizations, according to their leak site, and then followed up by publicizing claims of attacking 26 additional manufacturing organizations in 2023. Royal also has frequently threatened certain critical infrastructure sectors, such as manufacturing and healthcare. We’ve observed them making demands up to $25 million dollars in BTC. Perhaps due to this experience, the group has already impacted numerous organizations across the globe. This means they have a solid base for carrying out attacks and know what works when extorting victims. The ex-members that formed this group are known as Team One.īecause some of the people behind this threat were part of the development of Ryuk (discovered in 2018), which is the predecessor of Conti, they have many years of experience. It is suspected that this group is made up mainly of former members of the Conti ransomware group, who operate covertly and behind closed doors. Unlike major ransomware groups like LockBit 3.0, which typically operate as a ransomware-as-a-service (RaaS) by hiring affiliates and promoting their RaaS model, we have not observed this particular group using a similar approach. Before their first appearance, this group had been linked to a previous ransomware family named Zeon, starting in January of the same year. The Royal ransomware group was first observed in September 2022, compromising victims and using multi-extortion to pressure victims to pay their fee. The Unit 42 Incident Response team can also be engaged to help with a compromise or to provide a proactive assessment to lower your risk. Palo Alto Networks customers receive protections against ransomware used by the Royal ransomware group from Cortex XDR, as well as from the WildFire Cloud-Delivered Security Service for the Next-Generation Firewall. All strings, including the RSA public key and ransom note, are stored as plaintext. The ELF variant is quite similar to the Windows variant, and the sample does not contain any obfuscation. Royal ransomware also expanded their arsenal by developing an ELF variant to impact Linux and ESXi environments. Unit 42 incident responders have participated in 15 cases involving Royal ransomware in the last 9 months. This infection involves dropping a Cobalt Strike Beacon as a precursor to the ransomware execution. The Unit 42 team has observed this group compromising victims through a BATLOADER infection, which threat actors usually spread through search engine optimization (SEO) poisoning. Bucking the popular trend of hiring affiliates to promote their threat as a service, Royal ransomware operates as a private group made up of former members of Conti. Royal ransomware has been involved in high-profile attacks against critical infrastructure, especially healthcare, since it was first observed in September 2022.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |