Royal ransomware resurfaces as a Royal variant tied to a Conti Team One splinter group, employing callback phishing and a mix of stolen and living-off-the-land tooling to deploy and execute the ransomware. The campaign features rapid encryption using OpenSSL with RSA-encrypted keys, plus extensive discovery, lateral movement, and anti-forensic techniques, with ransom notes and a TOR-linked readme that advertises “pentesting services.” #RoyalRansomware #ContiTeamOne #QakBot #CobaltStrike
Keypoints
- Royal ransomware is a rebranding of a group previously associated with Conti Team One, reportedly first observed in 2022 and active again from September to December in several attacks, primarily in the US and Brazil.
- Attack flow includes callback phishing delivering remote access software, using social engineering to lure victims into installation.
- Infection and installation rely on compiled remote desktop malware with QakBot and Cobalt Strike for lateral movement, plus NetScan for network discovery.
- During intrusion, actors disable security tools (PCHunter, GMER, PowerTool, Process Hacker) to thwart defenses and exfiltrate data with RClone.
- Royal encrypts files with AES, protects keys with RSA, appends .royal to encrypted files, and employs a novel intermittent encryption pattern to speed up the process.
- File and network discovery are used extensively (FindFirstFileW/FindNextFileW; NetShareEnum; ADMIN$/IPC$), with AD discovery via AdFind and RDP enabling via PsExec.
- Shadow copies are deleted to hinder recovery (vssadmin delete shadows); ransom notes are placed in README.TXT and attackers advertise “pentesting services” on ransom notes or directories.
MITRE Techniques
- [T1566] Phishing – “External reports mention that the Royal ransomware group uses callback phishing as a means of delivering their ransomware to victims… These phishing attacks contain a number that leads to a service hired by the threat actors. When contacted, they will use social engineering tactics to lure victims into installing remote access software.”
- [T1021] Remote Services – “They used PsExec to execute the malware… The PsEXEC commands contain the ID of the victim, along with any argument… and ‘use PsEXEC to enable the remote desktop protocol (RDP)’.”
- [T1069.001] Active Directory Discovery – “AdFind to look for active directories.”
- [T1083] File and Directory Discovery – “It enumerates files and directories for encryption using FindFirstFileW, FindNextFileW, and FindClose APIs.”
- [T1135] Network Share Discovery – “The ransomware looks for available network shares for network encryption by listing accessible local IPs, then uses NetShareEnum and attempts to connect on ADMIN$ and IPC$ shares.”
- [T1490] Inhibit System Recovery – “delete shadow copies (Figure 8) through the following command: C:WindowsSystem32vssadmin.exe delete shadows /all /quiet”
- [T1562.001] Disable Security Tools – “used to disable any security-related services running in the system.”
- [T1486] Data Encrypted for Impact – “The ransomware encrypts files using AES… RSA-encrypted AES key and IV will be appended on each encrypted file.”
- [T1567.002] Exfiltration to Cloud Storage – “exfiltrate the victim’s data via the RClone tool.”
Indicators of Compromise
- [SHA-256] context – c0063d24f3de4e7b89abf9b690a3d264efc6ab7a626f73ad9f42d6bffe52bce7, fef79160f0ce9aa9dec15c914f2c2b40b2ae1ec2b0e65e414545dbc994afd73d, and 2 more hashes
- [File name] context – Ransom.Win64.YORAL.SMYXCJCT, Ransom.Win32.YORAL.YXCKB, and 2 more file names
- [File name] context – README.TXT (ransom note dropped per directory), and 1 more related text file