The Potency And Proficiency of Royal Ransomware
Category: Ransomware News | Industry: Global | Level: Strategic | Source: Cybereason
The Royal ransomware gang established itself as a serious threat group, since its emergence in the middle of 2022. Many researchers suspected the operators of the group to be former members of the disbanded Conti gang. Not advertising themselves for recruits or using the ransomware-as-a-service (RaaS), demonstrates the confidence and experience Royal operators have in their group. "Multiple reports have noted resemblances between the Royal Ransomware group and Conti, including similarities between the ransom notes each group uses (particularly in Royal’s early stages) and the use of callback phishing attacks." In addition, the use of Windows Restart Manager to identify any blockers to applications or services the ransomware attempts to encrypt is interesting because it's a technique shared by ransomware groups such as Conti, Babuk, and Lockbit.
Other novel techniques displayed by Royal operators include the use of partial encryption for flexibility and multi-threading to increase encryption speed. Partial encryption isn't a new technique however its implementation is unique to Royal ransomware. From Cybereason's analysis, "When a targeted file is being encrypted, the ransomware calculates the percentage to encrypt and divides the file content (encrypted and unencrypted) into equal segments. The fragmentation and possibly low percentage of encrypted file content results lower the chance of being detected by anti-ransomware solutions." Whilst precise in their ransomware execution, the Royal ransomware group isn't particularly picky in their choice of victims. All industries across all verticals have been targeted although geographically most of Royal's victims are located in the United States.