#StopRansomware Headlines Royal Ransomware

  |  Source: 
Critical Infrastructure

#StopRansomware Headlines Royal Ransomware

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) provided insight into Royal ransomware activity since the groups, emergence in September 2022. Royal has targeted various verticals, including critical infrastructure organizations, communications, education, healthcare, education, and manufacturing. They utilize the same common initial access opportunities from phishing, RDP (remote desktop protocol), vulnerable public-facing applications, and valid accounts obtained from brokers. Once the operators establish a foothold on the network, they typically initiate command and control (C2) with remote access software or a tunneling tool. Connections have been observed between Qakbot C2 infrastructure and Royal ransomware attacks. With access to the infected network, actions typically followed could include tampering with system configurations to lower defenses, executing a malicious batch script delivered through an encrypted archive file to create a new user account, modify group policies, and registry settings. The Royal ransomware gang often employs a double extortion tactic used to gather data on the victim host and exfiltrate it. As observed by CISA and third-party reporting "Royal actors’ first hop in exfiltration and other operations is usually a U.S. IP address." The Royal ransomware encryptor makes use of partial encryption, which enables the attacker to select a specific proportion of data to encrypt within a file. By utilizing this technique, the actor can reduce the encryption percentage for more massive files to increase encryption speed and avoid detection.

Get trending threats published weekly by the Anvilogic team.

Sign Up Now