The HC3 has released a security advisory concerning Royal ransomware. The human-operated ransomware was first discovered in September 2022. Following infection, the ransomware organization is known to demand payment of up to $2 million USD from victims in order to prevent the publication of their sensitive data.There have been reports that Royal ransomware that looks to be made up of skilled actors from other organizations, as the techniques deployed appear to be the same. While the majority of known ransomware operators have engaged in ransomware-as-a-service, Royal ransomware seems to be a private group without any apparent affiliations while maintaining financial motivation as their aim. However, The gang does state that it steals information for double-extortion attacks in which they also exfiltrate sensitive personal information.
According to the HC3, once access is gained to the victim’s networks, Royal ransomware employs techniques frequently used by other operations. These include launching Cobalt strikes for persistence, acquiring credentials, and moving laterally throughout the system until finally encrypting the files. Microsoft Security Threat Intelligence said that it has seen Royal ransomware being distributed by the threat actor DEV-0569 in a blog post from November. Specifically, the gang has been seen to deploy phishing attacks and to implement malicious links into false forums and comments on blogs. Microsoft has also identified numerous malicious Google advertising ads intended to bypass protections and to implement malicious installer files on software sites that appear to be legitimate.
The HC3 did note that Royal is a relatively new version of ransomware, and so experts are still trying to understand the technical specifics and signs of penetration made by the group. Royal ransomware has been shown to primarily target the public and private health sectors within the United States. The analyst note states that in each of the incidents in which the gang gained access to a system, they claimed to have published 100 percent of the victim’s personal data. According to the HC3, the following attack vectors frequently associated with ransomware continue to be observed by HC3 in addition to the techniques mentioned previously. These include phishing, Remote Desktop Protocol compromises and credential abuse, compromises of exploited vulnerabilities, such as VPN servers, and compromises in other known vulnerabilities.