A Royal Analysis of Royal Ransom

MITRE Techniques

• [T1566.001] Phishing: Spearphishing Attachment – The anonymized incident-response case began with phishing using a malicious HTML-smuggling attachment. ‘This e-mail … contained a malicious attachment in the form of a HTML file (HTML smuggling).’

• [T1059.001] PowerShell – A PowerShell command launches PowerSploit via Cobalt Strike’s service on port 11925. ‘a PowerShell command which launches PowerSploit (a post-exploitation framework) via Cobalt Strike’s service on port 11925.’

• [T1218.011] Signed Binary Proxy Execution: Regsvr32 – The batch script copies the Qbot malware and executes the payload from the mounted drive using regsvr32. ‘regsvr32’ name during the execution.

• [T1550.002] Pass the Hash – Lateral movement to a domain controller was performed using Pass-the-Hash. ‘lateral movement to a foothold on the domain controller was performed using Pass-the-Hash.’

• [T1567.002] Exfiltration to Cloud Storage – MEGAsync was used to exfiltrate more than 25 gigabytes of data. ‘MEGAsync to exfiltrate more than 25 gigabytes of data.’

• [T1112] Modify Registry – Qbot persistence via a Run registry entry to execute on startup. ‘Qbot persists itself, with the help of Run registry entry, in the startup order.’

• [T1060] Registry Run Keys/Startup Folder – The startup persistence is achieved via Run registry entries. ‘regsvr32’ execution on startup.

• [T1490] Inhibit System Recovery – Shadow copies are deleted via vssadmin to hinder recovery. ‘starting “vssadmin” as a new process, along with the required command-line arguments’ to delete shadow copies.

• [T1569.002] System Services: Service Execution – The malware interacts with Windows services and related execution flows (Windows Service creation/execution). ‘Create or Modify System Process: Windows Service’ and related service behaviors.

• [T1574.001] DLL Search Order Hijacking – The ransomware avoids Windows API cryptography by statically linking OpenSSL and using embedded RSA keys, hinting at potential DLL-related persistence/execution concerns. ‘To avoid the usage of the Windows API’s cryptographic functions, the OpenSSL library is statically linked with the malware.’

• [T1020] Automated Exfiltration – Data is exfiltrated automatically as part of the attack lifecycle (in the anonymized IR case). ‘MEGAsync to exfiltrate more than 25 gigabytes of data’ includes an automated data-exfiltration aspect.

• [T1135] Network Share Discovery – Anonymized case involved discovery steps and tools (e.g., AdFind) to enumerate network resources and Active Directory networks. ‘Additional tools to enumerate the active directory network were used, such as AdFind.’

• [T1021.002] SMB/Windows Admin Shares – The ransomware uses SMB/Windows admin shares for lateral movement over networks (port 445 with ConnectEx retry pattern). ‘The SMB connection, using port 445, uses a callback to ConnectEx.’

• [T1041] Exfiltration Over Web Service – The ransomware uses cloud-based exfiltration pathways, evidenced by cloud-storage-based exfiltration patterns in the incident case. ‘Exfiltration to cloud storage service’ is implied by MEGAsync usage.

• [T1572] Hijack Execution Flow: DLL Search Order Hijacking – The analysis notes DLL-related hijacking considerations in the malware’s operation context. ‘Hijack Execution Flow: DLL Search Order Hijacking’ appears in the appendix.

• [T1548.002] Abuse Elevation Control: UAC Bypass – The incident-response case mentions a UAC bypass technique via Disk Cleanup race condition. ‘The bypass is based on a race condition in Windows 10’s Disk Cleanup tool.’

• [T1053.005] Scheduled Task: Scheduled Task – The Windows/Linux variants describe task-based or threaded scheduling patterns for encryption work (as part of the described multi-threaded encryption strategy). [Context: Appendix lists Scheduled Task as a technique.]

• [T1036] Native APIs: API – The malware avoids Windows cryptography APIs by linking OpenSSL statically, implying a use of native or alternative cryptographic interfaces. ‘the OpenSSL library is statically linked with the malware.’

• [T1222] Signed Binary Proxy Execution: Regsvr32 – Recurrent use of regsvr32 for payload execution and persistence. ‘regsvr32.exe “C:Users[redacted]AppDataRoamingMicrosoftJmcoiqtmeftnwthu.dll”’.