Royal Ransomware uses a unique “partial encryption approach” to evade detection

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have published a joint cybersecurity alert on Royal ransomware used in recent cyberattacks as recently as January 2023.

Royal ransomware is a rapidly evolving and expanding ransomware strain used in recent campaigns. Just last month, Microsoft reported Royal was one of 50 unique active ransomware families used by over 100 threat actors in recent worldwide attacks.

According to the CISA and FBI joint report published on March 2, 2023, Royal ransomware has recently added a unique technique to evade detection:

Royal ransomware uses a unique partial encryption approach that allows the threat actor to choose a specific percentage of data in a file to encrypt. This approach allows the actor to lower the encryption percentage for larger files, which helps evade detection. In addition to encrypting files, Royal actors also engage in double extortion tactics in which they threaten to publicly release the encrypted data if the victim does not pay the ransom.

-CISA and FBI cybersecurity advisory

The cybercriminals have also been targeting multiple critical infrastructure sectors such as entities in Manufacturing, Communications, Healthcare and Public Healthcare, and Education.

Recent Royal campaigns

According to the report, bad actors have used Royal Ransomware variant to compromise U.S. and international organizations since approximately September 2022.

The FBI and CISA also noted the new variant has some additional unique features that have evolved:

FBI and CISA believe this variant, which uses its own custom-made file encryption program, evolved from earlier iterations that used “Zeon” as a loader. After gaining access to victims’ networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems.

-CISA and FBI Cybersecurity Advisory

Moreover, the Royal actors demanded ransoms from their victims in the range of $1 million to $12 million USD in Bitcoin.

The actors typically will gain access using any of the following methods:

  • Phishing emails used to install malware on victim machines
  • Remote Desktop Protocol (RDP) compromises
  • Exploit of public-facing application vulnerabilities
  • Brokers (by harvesting virtual private network (VPN) credentials from stealer logs).

After gaining unauthorized access to compromised systems, the bad actors then communicate with command and control (C2) infrastructure and download multiple tools used to move laterally and gain persistence.

Tools include Chisel (an open source tunneling tool) and Microsoft Sysinternals PsExec program, as well as other remote monitoring and management (RMM) software, such as AnyDesk, LogMeIn, and Atera.

Moreover, Royal actors exfiltrate data from their victims’ networks by abusing legitimate penetration testing tools and malware tools, such as Cobalt Strike and Ursnif/Gozi respectively.

Readers can check out more details on encryption methods and indicators of compromise in the full CISA security advisory AA23-061A.

Related Articles