The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory on Royal ransomware attacks, which have targeted U.S. and international organizations since September 2022.
The custom ransomware program is believed to have evolved from earlier iterations dubbed Zeon, and is operated by seasoned threat actors who used to be part of the Conti Team One.
After gaining access to victims’ networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems.
They use various means of initial access, including call-back phishing, remote desktop protocol, exploitation of public-facing applications, and initial access brokers.
Royal ransom demands vary from $1 million to $11 million, with attacks targeting a variety of critical sectors, including communications, education, healthcare, and manufacturing.
The ransomware uses a unique partial encryption approach that allows the threat actor to choose a specific percentage of data in a file to encrypt, enabling them to lower the encryption percentage for larger files to evade detection.
Intrusions are characterized by the use of Cobalt Strike and PsExec for lateral movement, and relying on the Windows Volume Shadow Copy Service to delete shadow copies to prevent system recovery.
As of February 2023, Royal ransomware is capable of targeting both Windows and Linux environments and has been linked to 19 attacks in January 2023 alone.
