FortiGuard Labs’ Ransomware Roundup analyzes Royal ransomware, detailing its Windows-based encryption, command-line operation, shadow-copy deletion, and ransom workflow via Tor, along with Fortinet protection and defender guidance. It notes the potential for a “double extortion” approach and emphasizes defenses such as up-to-date AV/IPS, phishing awareness, robust backups, and Zero Trust strategies. #RoyalRansomware #Fortinet #FortiGuardLabs #MicrosoftWindows #Tor
Keypoints
- Royal ransomware is a relatively new operation, active since at least early 2022, with the aim to encrypt data and extort a ransom for decryption.
- There is no single stated infection vector; infection appears to depend on the individual victim.
- The group mentions “double extortion” by threatening to release stolen data in addition to encrypting files, though this claim isn’t definitively proven.
- Ransom notes include a victim-specific ID and a unique Tor page for contact and payment.
- The ransomware is a 64-bit Windows executable written in C++ and is launched via command line with specific arguments.
- It deletes the volume shadow copy (VSS) to hinder recovery, and there is a potential third unused argument flag (-ep).
- OpenSSL is used to encrypt files with AES, and encrypted files receive a .royal extension, with some tests showing partial encryption.
- Fortinet protection includes AV signatures (e.g., W32/PossibleThreat) and guidance on backups, phishing training, and broader security integrations.
MITRE Techniques
- [T1059] Command-Line Interface – The ransomware is launched via command line, suggesting operation after access is gained. ‘The ransomware itself is a 64-bit Windows executable written in C++. It is launched via command line, suggesting that it is designed to be run via an operator after access to an environment is provided through another method.’
- [T1490] Inhibit System Recovery – It deletes the volume shadow copy to hinder recovery. ‘Regardless of whether either of these arguments are provided, the malware goes ahead and deletes the volume shadow copy off the system.’
- [T1486] Data Encrypted for Impact – It encrypts files using OpenSSL AES and renames them with a .royal extension. ‘Royal appears to use the OpenSSL library to encrypt files to the AES standard. Encrypted files are renamed and given a “.royal” file extension.’
Indicators of Compromise
- [SHA256] Royal ransomware file hashes – 2598e8adb87976abe48f0eba4bbb9a7cb69439e0c133b21aee3845dfccf3fb8f, 9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926
- [AV Signature] Fortinet AV signature – W32/PossibleThreat
Read more: https://www.fortinet.com/blog/threat-research/ransomware-roundup-royal-ransomware