Royal ransomware is likely associated with Russian-speaking cybercrime actors
Context: Royal is a ransomware variant first observed in September 2022, used by cybercriminals to conduct ransomware attacks against multiple sectors and organisations worldwide, including Australia. Once gaining access to a victim’s environment, cybercriminals use this ransomware for similar purposes to other variants such as encrypting their data and extorting a ransom to return access to the sensitive files. This product provides information related to Royal’s background, threat activity, and mitigation advice.
The Australian Cyber Security Centre (ACSC) is providing this information to enable organisations to undertake their own risk assessments and take appropriate actions to secure their systems and networks. The ACSC will only revise and update this document in the event of further significant information coming to light.
- Royal ransomware restricts access to corporate files and systems by encrypting them into a locked and unusable format. Victims receive instructions on how to engage with the threat actors after encryption.
- Royal ransomware threat actors have successfully deployed ransomware on corporate systems in a variety of countries and sectors, including in Australia, where the ACSC is aware of multiple victims.
- Royal ransomware threat actors are known to implement the ‘double extortion’ technique by uploading samples of stolen victim data obtained through the attack and threatening to sell and/or release additional information if their ransom demands are not met.
- Threat actors involved in the deployment of the Royal ransomware use a range of vectors to gain initial access into victim networks, including call-back phishing and exploitation of unpatched vulnerabilities.
First detected in September 2022, Royal ransomware is likely associated with Russian-speaking cybercrime actors. According to open-source reporting, Royal is related to a previous ransomware variant, Zeon. Similarities between Royal and Conti have also been reported; however, it is unclear if the actors responsible for developing Royal are the same as those linked to Conti. The Royal ransomware group operate independently rather than adopting a Ransomware-as-a-Service (RaaS) model. Royal ransomware threat actors have successfully deployed ransomware to target networks worldwide, including in Australia, where the ACSC is aware of multiple Australian victims.
The ACSC is aware of an increase in domestic and global Royal activity in 2022 and use of Royal ransomware has continued into 2023. This includes the targeting of Australian critical infrastructure, notably including an educational institute in 2022. As of 10 January 2023, Royal ransomware threat actors claimed to have compromised at least 70 organisations worldwide.
Tactics, Techniques and Procedures
Threat actors deploying Royal ransomware notably use a technique called call-back phishing, which involves tricking victims into acting, such as returning a phone call or opening an email attachment. When the victims call the number from the phishing message, the threat actor uses social engineering techniques to persuade the victim to install their remote access software, a malicious downloader that poses as legitimate applications to gain initial access into the victim organisation. Threat actors use a range of other initial access vectors, including:
- Exploiting known vulnerabilities or common security misconfigurations
- Making malicious downloads appear authentic by hosting fake installer files on legitimate software download sites
- Using Google Ads in a campaign to blend in with normal ad traffic
- Using contact forms located on an organisation’s website to distribute phishing links
Royal ransomware threat actors have been observed using well-known malware variants including Bokbot, Qakbot and BATLOADER after gaining access into the system. Threat actors also have been observed using Cobalt Strike for network access and lateral movement.
The Royal ransomware encrypts the network shares found in the local network as well as the local drives. A command line parameter called “-id” identifies the victim which is also written in the ransom note. The files are encrypted using the OpenSSL AES algorithm, with the key and Initialisation Vector (IV) being encrypted using the RSA public key that is hard coded in the ransomware executable. The extension of the encrypted files is changed to “. royal”.
Other observable Tactics, Techniques and Procedures (TTPs) associated with Royal ransomware activity include but are not limited to:
- Exfiltrating data through RClone to publicly available cloud file-sharing services
- Using software tools such as PCHunter, PowerTool and Process Hacker to disable any security-related services running in the system
- Using Virtual Hard Disk (VHD) and PowerShell to install legitimate remote management tools for first-stage payloads and persistence on the network
- Using PsExec tool to execute ransomware payload into other systems in the network
- Skipping specific file extensions (.dll, .bat,.royal, or .exe) for encryption
- Deleting all volume shadow copies that contain system backups