Royal Ransomware Strikes with Seeds from Conti

In September 2022, the Royal ransomware group emerged in cyberspace, rapidly establishing itself as a top-tier cybercrime threat. In a report shared by Trend Micro, insight is provided into the group’s attack techniques with similarities linked to the former Conti ransomware group. Trend Micro also found, "Our investigation into Royal ransomware attacks shows how the group employs a mixture of both old and new techniques, which indicates that it is no newcomer to the ransomware scene. Their use of callback phishing to lure victims into installing remote desktop malware allows them to infiltrate the victim’s machine with relative ease." The use of callback phishing is the most prominent link to Conti, an observation shared by other security firms such as Cybereason and Palo Alto Unit42. During the callback phishing routine, victims are lured through urgent emails to contact a phone number linked to a call center with the representative on the receiving end, coercing the victim into installing remote access software or other malicious payloads in order for the threat actor to gain initial access.

Following post-exploitation, the operator has often used Cobalt Strike or Qakbot to move laterally through the victim's environment. Royal ransomware operators often use public tools such as AdFind, Netscan, PCHunter, Process Hacker, GMER, and PowerTool to support reconnaissance and defense evasion efforts by disabling any active security products. Any data discovered in the attack is exfiltrated using RClone. In the final stages of the attack, AdFind is used to identify active directories for the threat actors to pivot to and deploy their ransomware using PsExec. While Royal ransomware only appeared recently in September 2022, their attack pace is making up for any lost time in 2022, as many victims across multiple countries have been compromised. It is clear Royal ransomware is a prominent threat in cyberspace with experienced cybercriminals operating the ransomware.