Royal has been in existence since at least the beginning of 2022, making it a relatively new business. The goal of the group and its software is standard: infiltrate the environment of a victim, encrypt their data, and demand a ransom to decrypt any files impacted.
Background
In its ransom note, the organization makes it clear that it intends to use the “double extortion” strategy of threatening to reveal data obtained from the victim in addition to encrypting the victim’s data until a ransom is paid.
Analysis
- Delivery Mechanism:
The Royal gang employs targeted callback phishing assaults, posing as software and food delivery companies in emails that appear to be subscription renewals. These phishing emails include phone numbers that the target can call to cancel the fictitious subscription. Still, in reality, these numbers belong to a service that the threat actors have contracted.
As soon as a victim dials the number, the threat actors utilize social engineering to persuade the victim to install remote access software, which is then used to acquire initial access to the corporate network. - Lateral Movement:
Threat actors are inventive in how they access networks, as evidenced by how they break into their network by utilizing a vulnerability in a custom web application. - Execution:
The threat actors carry out the same operations that other human-operated ransomware operations do once they have gained access to a network. Then, after spreading laterally via the Windows domain and stealing data, they deploy Cobalt Strike for persistence, collect passwords, and encrypt the machines with the Royal Ransomware. - Encryption technique:
Royal seems to encrypt files with the AES standard using the OpenSSL library and the encryptor will add the .royal extension to the file names of encrypted files after encryption. They directly encrypt the virtual disc files of the targeted virtual machines (VMDK). The ransom notes are then printed on network printers or generated on Windows machines that have been encrypted by the threat actors.
IOCs:
2598e8adb87976abe48f0eba4bbb9a7cb69439e0c133b21aee3845dfccf3fb8f
9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926
5fda381a9884f7be2d57b8a290f389578a9d2f63e2ecb98bd773248a7eb99fa2
312f34ee8c7b2199a3e78b4a52bd87700cc8f3aa01aa641e5d899501cb720775
hxxp://royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onion/%s