CISA Updates Advisory for Royal Ransomware Gang, Amassed $275 Million in Ransom
An updated #StopRansomware advisory from CISA highlights the persistent threat posed by the Royal ransomware group. Since its emergence in September 2022, the group is tracked to have targeted over 350 victims globally, accumulating a ransom total exceeding $275 million. Major sectors, including critical infrastructure, healthcare, government, education, and manufacturing, have all fallen victim to the Royal ransomware. Although, since the critical attack against the Dallas government in early May 2023, the group appears to be keeping a low profile and is largely suspected to be undergoing a rebranding effort into the 'Blacksuit.' CISA links the ransomware gangs based on coding similarities in the ransomware encryptor and recognizes Blacksuit ransomware as part of this transformation. This assessment is echoed in initial reports in June 2023 by security researcher Yelisey Bohuslavskiy and Lawrence Abrams from BleepingComputer, with Bohuslavskiy also referring to Royal as the 'direct heir of Conti."
In detailing the known tactics, techniques, and procedures (TTPs) employed by Blacksuit, threat actors utilize a range of initial access methods, including phishing, Remote Desktop Protocol (RDP), exploiting vulnerable public-facing applications, and collaborating with initial access brokers to leverage compromised credentials. Phishing and RDP are cited as the two most commonly used initial access vectors. After gaining initial access, Royal operators establish communication with their command and control (C2) and deploy necessary tools to advance their intrusion.
Royal's toolkit includes the Chisel open-source tool, Cobalt Strike, along with the recently dismantled and on-hiatus Qakbot C2 infrastructure. During the lateral movement and persistence phases, CISA reports that attackers leverage RDP, PsExec, and various remote access software, including AnyDesk, LogMeIn, and Atera. Royal employs multiple batch (.bat) scripts to create new admin users, manipulate group policies, modify registry keys, and initiate their ransomware encryptor. CISA highlights a confirmed case where threat actors used a legitimate admin account to remotely log on to the domain controller. Leveraging this access, Royal utilized Group Policy Objects to disable security monitoring and proceed with their intrusion unimpeded.
To enhance security measures, network defenders and organizational leaders are urged to strengthen their security monitoring, as outlined in CISA's report. The advisory provides further security mitigation and recommendations to bolster an organization’s security posture.