Royal (cyber gang)

Royal is a cybercriminal ransomware organization known for its aggressive targeting, its high ransom demands, and its use of double extortion (where compromised data is not only encrypted, but also exfiltrated). Royal does not use affiliates.

Royal has targeted a wide range of industries, including healthcare, finance, and critical infrastructure. Ransom demands by the group range from $250,000 to over $2 million.

Description
The group behind Royal ransomware is an experienced and skilled group that employs a combination of old and new techniques. They use callback phishing to trick victims into downloading remote desktop malware, which enables the threat actors to easily infiltrate the victim's machine. Royal is reportedly a private group without any affiliates.

Royal ransomware employs a unique approach to encryption allowing the threat actor to selectively encrypt a specific percentage of data within a file. By doing so, the actor can lower the encryption percentage for larger files, making it harder to detect their malicious activities. In addition to encrypting files, Royal actors also employ a double extortion tactic : they threaten to publicly release the encrypted data unless the victim pays the ransom demanded. Additionally, they employ intermittent encryption to speed up the encryption process of victim's files while avoiding detection from systems that monitor heavy file IO operations.

In addition to making headlines, the Royal ransomware group has demonstrated an ability to adapt quickly to new tactics. They have developed Linux-based variants and expanded their targets to include ESXi servers, which can have a significant impact on victimized enterprise data centers and virtualized storage.

Targets
According to Trend Micro's data, the United States has been the primary target of Royal ransomware, Brazil follows. Most of the victim organizations affected by Royal ransomware were small to medium-sized businesses, with only a small portion being large enterprises.

According to a CISA, Royal ransomware attacks have targeted various critical infrastructure sectors, including chemicals, communications, critical manufacturing, dams, defense industrial bases, financial services, emergency services, healthcare, nuclear reactors, waste, and materials sectors.

ATT&CK TTPs
In 2023, the United States Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) jointly issued an advisory providing information on Royal ransomware's tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations defend against such attacks.

To gain initial access to victim networks, Royal actors use various methods. One common method is through phishing emails, which account for about 66.7% of incidents. Victims unknowingly install malware that delivers Royal ransomware after clicking on links or opening malicious PDF documents in these phishing emails. Another method is compromising Remote Desktop Protocol (RDP), which accounts for 13.3% of incidents. Royal actors also exploit vulnerabilities in public-facing applications to gain initial access. There are reports suggesting that Royal actors may also leverage brokers to obtain access by harvesting VPN credentials from stolen logs.

Once inside the network, Royal actors communicate with a command and control (C2) infrastructure and download multiple tools to strengthen their presence. They often repurpose legitimate Windows software to further secure their position within the victim's network. Royal actors have been observed using Chisel, a tunneling tool transported over HTTP and secured via SSH, to communicate with their C2 infrastructure. While multiple Qakbot C2s have been detected in Royal ransomware attacks, it is yet to be determined if Royal ransomware exclusively employs them.

To move laterally across the network, Royal actors frequently use RDP. They have also been known to use Microsoft Sysinternals tool PsExec for this purpose. In some instances, they exploit remote monitoring and management (RMM) software like AnyDesk, LogMeIn, and Atera for persistence within the victim's network. These actors have even escalated their access to the domain controller, where they deactivate antivirus protocols by modifying Group Policy Objects.

During exfiltration, Royal actors repurpose legitimate cyber pentesting tools such as Cobalt Strike, as well as malware tools like Ursnif/Gozi, to aggregate and exfiltrate data from victim networks. It has been noted that their initial hop in exfiltration and other operations often involves a U.S. IP address. Notably, a tool repository used by Royal was identified at IP: 94.232.41[.]105 in December 2022, which included Cobalt Strike.

Before initiating the encryption process, Royal actors employ certain techniques. They use the Windows Restart Manager to check if targeted files are in use or blocked by other applications. Additionally, they use the Windows Volume Shadow Copy service (vssadmin.exe) to delete shadow copies, preventing system recovery. The FBI has discovered numerous batch (.bat) files on impacted systems, typically transferred as an encrypted 7zip file. These batch files create a new admin user, force a group policy update, set relevant registry keys to auto-extract, execute the ransomware, monitor the encryption process, and ultimately delete files upon completion, including Application, System, and Security event logs.

History
The gang has been active since January 2022 and was initially known as "Zeon" before rebranding as "Royal".

In September 2022, it gained attention among cybersecurity researchers after a news site published an article about the group's targeted attack campaigns using callback phishing techniques.

In its early campaigns, Royal ransomware used the encryptor tool called "BlackCat", but later developed its own encryptor that generated ransom notes similar to those of the Conti ransomware group. After the rebranding, they exclusively used the term "Royal" in their ransom notes.

Royal ransomware quickly gained recognition as one of the most prolific ransomware groups in the fourth quarter of 2022, ranking only behind LockBit and BlackCat. According to data from the leak sites of these ransomware groups, Royal accounted for 10.7% of the successful attacks during that three-month period. Its association with the Conti ransomware group may have contributed to its rapid rise in the ransomware landscape.

On December 7, 2022, the United States Department of Health and Human Services (HHS) issued a warning to healthcare organizations about the threats posed by the Royal ransomware. Reports indicate that ransom demands by the group range from $250,000 to over $2 million.

On November 2023, the FBI and the CISA warn that Royal ransomware gang may rebrand as "BlackSuit" after the testing of an encryptor called BlackSuit by the gang.