FBI and CISA release a joint advisory detailing Royal ransomware’s operations, including initial access via phishing, data exfiltration with double extortion, and encryption techniques, plus observed tools and IOCs since 2022, with guidance for defenders. The advisory highlights mitigation steps, victim counts, and potential links to the Blacksuit variant, along with resources for prevention and response.
#RoyalRansomware #Zeon #Qakbot #Blacksuit #Chisel #Tor #FBI #CISA #StopRansomware
#RoyalRansomware #Zeon #Qakbot #Blacksuit #Chisel #Tor #FBI #CISA #StopRansomware
Keypoints
- Royal ransomware uses partial encryption and often doubles as an extortion scheme, threatening to release victim data if demands are not met.
- Initial access is primarily via phishing (66.7% of incidents), with RDP, public-facing apps, and brokers as other vectors.
- Post-access activities include lateral movement with RDP, PsExec, and remote management tools (AnyDesk, LogMeIn, Atera) and bypassing defenses via Group Policy changes.
- Exfiltration uses legitimate tools (Cobalt Strike, Ursnif/Gozi) and is followed by encryption; first exfiltration hops often originate from a US IP.
- Encryption involves Windows Restart Manager and deletion of shadow copies; batch files often create admin accounts and erase logs after encryption.
- Victims span multiple critical sectors, with thousands of known victims and multi-million USD ransom demands; a Tor-based ransom note is used for actor contact.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – “The actors gain initial access through malicious PDF attachments sent via email.” (‘The actors gain initial access through malicious PDF attachments sent via email.’)
- [T1566.002] Phishing: Spearphishing Link – “The actors gain initial access using malvertising links via emails and public-facing sites.” (‘The actors gain initial access using malvertising links via emails and public-facing sites.’)
- [T1190] Exploitation of Public-Facing Applications – “The actors gain initial access through public-facing applications.” (‘The actors gain initial access through public-facing applications.’)
- [T1133] External Remote Services – “The actors gain initial access through a variety of RMM software.” (‘The actors gain initial access through a variety of RMM software.’)
- [T1021.001] Remote Services: Remote Desktop Protocol – “The actors used valid accounts to move laterally across a network using RDP.” (‘The actors used valid accounts to move laterally across a domain controller using RDP.’)
- [T1078.002] Valid Accounts: Domain Accounts – “The actors used encrypted files to create new admin user accounts.” (‘The actors used encrypted files to create new admin user accounts.’)
- [T1562.001] Impair Defenses: Disable or Modify Tools – “The actors deactivated antivirus protocols.” (‘The actors deactivated antivirus protocols.’)
- [T1484.001] Domain Policy Modification: Group Policy Modification – “The actors modified Group Policy Objects to subvert antivirus protocols.” (‘The actors modified Group Policy Objects to subvert antivirus protocols.’)
- [T1070.001] Indicator Removal: Clear Windows Event Logs – “The actors deleted shadow files and system and security logs after exfiltration.” (‘The actors deleted shadow files and system and security logs after exfiltration.’)
- [T1105] Ingress Tool Transfer – “The actors used C2 infrastructure to download multiple tools.” (‘The actors used C2 infrastructure to download multiple tools.’)
- [T1572] Protocol Tunneling – “The actors used an encrypted SSH tunnel to communicate within C2 infrastructure.” (‘The actors used an encrypted SSH tunnel to communicate within C2 infrastructure.’)
- [T1119] Automated Collection – “The actors used registry keys to auto-extract and collect files.” (‘The actors used registry keys to auto-extract and collect files.’)
- [T1486] Data Encrypted for Impact – “The actors encrypted data to determine which files were being used or blocked by other applications.” (‘The actors encrypted data to determine which files were being used or blocked by other applications.’)
Indicators of Compromise
- [IP Address] Royal-associated network indicators – 102.157.44[.]105, 105.158.118[.]241, and 94.232.41[.]105 (observed across incidents; Jan 2023 update notes 275M USD and timing).
- [Domain] Malicious domains – sombrat[.]com, gororama[.]com, softeruplive[.]com, altocloudzone[.]live, ciborkumari[.]xyz, myappearinc[.]com, parkerpublic[.]com.
- [File extension] Encrypted file extension – .royal
- [File] Ransom note – README.TXT
- [SHA256] Tool and payload hashes – 8A983042278BC5897DBCDD54D1D7E3143F8B7EAD553B5A4713E30DEFFDA16375, 8a99353662ccae117d2bb22efd8c43d7169060450be413af763e8ad7522d2451
- [IP] Additional actor infrastructure – 94.232.41[.]105 (December 2022)
Read more: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a