kirill_makarov - Fotolia

Threat researchers dissect anatomy of a Royal ransomware attack

Trellix researchers share the inside track on a Royal ransomware attack that hit one of its customers in late 2022

Trellix researchers have shared the details of a Royal ransomware attack on one of its customers, revealing insight into the tactics, techniques and procedures (TTPs) employed by one of the world’s most active and dangerous ransomware operations.

Royal ransomware was first detected in January of 2022 but the group ramped up its activity from September onwards. It has since become a widespread and dangerous threat and the subject of warnings from US authorities.

According to Trellix’s latest telemetry, so far in 2023 the majority of detections of Royal have been seen in Turkey, but the United States and Ireland have also been heavily victimised. The operation is also actively targeting organisations across Western Europe, Brazil, India, Japan, South Africa, Thailand, the United Arab Emirates and Ukraine. The UK seems to be less targeted at present.

The operation likely includes former members of the Conti cartel, which split amid recriminations almost a year ago, after disgruntled members upset at its declaration of support for Russia’s invasion of Ukraine leaked the gang’s data.

As a result of absorbing these individuals, Royal was able to significantly amp up its own technical abilities. Among other things it switched lockers from BlackCat to Zeon, before developing and deploying its own, which contains some similarities to Conti’s

Perhaps the most notable commonality is Royal’s “chunk-based” encryption, a granular approach to encryption that allows a ransomware operator to encrypt a certain percentage of each file. This means Royal can choose between a faster, yet more insecure, approach to extortion or a slower, yet more secure, approach.

In the first instance, the ransomware operator can carry out their attack more quickly and potentially avoid triggering anti-ransomware products, but the risk inherent is that victim may be able to recover their files more easily themselves or work out what they are missing and thus resist the extortion demand.

In the second scenario, the victim will find it harder, if not impossible, to get their data back, but the files take longer to encrypt and the more involved process risks triggering defence mechanisms.

In a similar fashion to Conti, the gang also sees itself as a professional penetration testing operation running a useful service (albeit an unscheduled and unrequested one).

An example of its current ransom note shared by Trellix highlights this attitude. It reads: “Royal offers you a unique deal. For a modest royalty (got it; got it?) for our pentesting services we will not only provide you with an amazing risk mitigation service, covering you from reputational, legal, financial, regulatory, and insurance risks, but will also provide you with a security review for your systems.

“To put it simply, your files will be decrypted, your data restore [sic] and kept confidential, and your systems will remain secure. Try Royal today and enter the new era of data security! We are looking to hearing from you soon!”

Trellix researchers Alexandre Mundo and Max Kersten wrote in their summing up:“The Royal Ransom is actively used, as highlighted by the incident response case.

“Additionally, the ransomware’s encryption scheme seems to be implemented properly. As such, recent back ups or a decryptor are the only ways to recover lost files. The chunk-based encryption speeds up the encryption process while still ensuring files aren’t recoverable.

“The re-use of features between ransomware groups, such as Royal Ransom and Conti in this alleged case, gives food for thought with regards to gangs collaborating, or gang members joining different – or additional – gangs.

“Bluntly put, the evolution of one gang’s ransomware is bound to influence other ransomware gangs, which affects any organisation that is targeted. As such, it is important to stay on top of changes and improve the security posture where required.”

Case study

The anonymised Royal victim found their systems encrypted in late 2022. The entire process, from initial access by the gang, to the execution of the locker, unfolded over a three-day period.

In this instance, Royal used a simple phishing email to obtain initial access, basing its correspondence on hijacking an existing and previously benign thread, and lacing its interjection with a malicious attachment in the form of an HTML file.

When opened by an employee, the HTML file prompted a notice exploiting Adobe branding to pop-up. This notice told the victim that the file could not be correctly displayed, and to download a file to view it. It also included a password to the archive for the download.

The archive itself contained an ISO image which, when mounted, contained several files, a shortcut (LNK) file, a hidden folder with a decoy, a batch file, and a Qbot payload – Qbot or Qakbot is a banking trojan turned infostealer and frequently tops the most observed malware ‘charts’. The batch scripted coped Qbot to the victim’s temporary folder and executed the payload from the mounted drive.

From here, using the Run registry agency, Qbot established persistency in the startup order and was able to execute every time the compromised machine started.

Approximately four hours later, Cobalt Strike, the red-teaming tool that has become a perennial favourite among cyber criminals, made its appearance and was installed as a service on a domain controller which Royal had compromised using the pass-the-hash technique to move laterally. They also used additional tools, including AdFind, to enumerate the Active Directory (AD) network.

To escalate their privileges at this stage, Royal used a User Account Control (UAC) bypass technique based on a specific race condition in the Windows 10 Disk Cleanup tool in which a dynamic link library (DLL) hijack can lead to arbitrary code execution with heightened privileges.

Royal used these privileges to run a PowerShell command and launch the PowerSploit post-exploitation framework via Cobalt Strike’s service on port 11925. In this case, it downloaded and executed the PowerView module.

With its foothold established, Royal laid low for a day before using the MEGAsync tool – a legitimate tool that enables syncing with MEGA Cloud Drives to download and steal approximately 25 gigabytes of data. A few hours later, they executed the ransomware – notable for its name which was specifically tailored to the victim’s name, demonstrating Royal’s human-operated nature.

The whole process was remarkably quick, according to Mundo and Kersten. They said: “All in all, the quick turnaround from initial infection into a fully compromised environment shows why it is important to be on top of things from a blue team point of view.”

More information on Royal’s current operation, including in-depth technical details, indicators of compromise (IoCs), and a new Yara rule that can be used to detect both the Windows and Linux locker variants, is available from Trellix.

Read more about ransomware

  • While some 2022 ransomware statistics indicate a possible ‘decline’ in activity, threat researchers warn there’s more to the picture than the numbers suggest.
  • WithSecure’s Activity Monitor technology supposedly overcomes the shortcomings of sandbox test environments, and may be able to stop ransomware attacks from ever happening.
  • Veeam Data Platform v12 offers a financial guarantee to customers that can’t restore after ransomware attacks, but the backup supplier is convinced it won’t be making many payouts.

Read more on Hackers and cybercrime prevention