A comprehensive Cybersecurity Advisory (CSA) has been created and distributed as a result of the collaborative efforts of the FBI and CISA, revealing that the cybercriminals responsible for the Rayal ransomware generated up to $11 million in cryptocurrency. The CSA aims to share important information on the Royal ransomware threat, including associated Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) identified by the FBI’s threat response activities in January 2023. The goal is to assist organizations in protecting themselves against this malicious threat. Since around September 2022, a new variant of the Royal ransomware has been used to breach the security of both US-based and foreign organizations. The FBI and CISA suspect that the custom-built file encryption program used by this ransomware variant is an evolved version of earlier iterations that used a loader called “Zeon.”
Action Flow
The Royal ransomware operates by first breaching the network security of targeted organizations and then disabling their antivirus software. As a result, attackers are able to exfiltrate significant amounts of data before deploying the ransomware and encrypting the affected computers. The operators of the Royal ransomware demand payment in Bitcoin from their victims, with ransom amounts ranging from approximately $1 million to $11 million USD depending on the size and sensitivity of the targeted organization’s data. Notably, the perpetrators do not include ransom amounts or payment details in their initial ransom notes. Instead, they establish direct negotiations with victims through a .onion URL after gaining their attention through the ransom note.
Critical Infrastructure Sectors Targeted
The Royal ransomware has specifically aimed at compromising a broad range of critical infrastructure sectors, which include:-
- Manufacturing
- Communications
- Healthcare and Public Healthcare (HPH)
- Education
Technical Analysis
Aside from the primary function of encrypting data, the individuals behind the Royal ransomware have also employed double extortion tactics.
While the Royal ransomware operators employ multiple techniques to gain initial access to their target networks, which include:-
- Phishing
- Remote Desktop Protocol (RDP)
- Public-facing applications
- Brokers
After successfully penetrating a targeted network, the culprits establish a connection with their command and control (C2) infrastructure, and then proceed to download various tools to execute their attack strategy on the compromised systems.
To strengthen their hold on the targeted network, the attackers exploit valid Windows software, which helps them evade detection by security protocols while also facilitating further compromise of the victim’s network.
Recent findings suggest that the Royal ransomware perpetrators have adopted Chisel as a communication tool with their C2 infrastructure. In their attacks, the operators of the Royal ransomware have utilized several C2 servers that were previously linked to Qakbot malware, but it is unclear whether the Royal ransomware is entirely dependent on the Qakbot infrastructure for its operations.
In accordance with their further compromising step, cyber criminals move laterally across the network with the help of RDP or RMM tools like:-
- AnyDesk
- LogMeIn
- Atera
Afterward, they use pen-testing and malware tools in order to exfiltrate data from victim networks, such as:-
- Cobalt Strike
- PsExec
- Ursnif
- Gozi
The Cobalt Strike program is subsequently repurposed for the purposes of aggregating and exfiltrating data.
During the month of January 2023, the Royal ransomware was reportedly associated with 19 attacks, placing it behind other ransomware families such as:-
- LockBit
- ALPHV
- Vice Society
Recent reports suggest that the Royal ransomware has upgraded its capabilities to target both Windows and Linux environments, indicating that the attackers are adapting and developing their tactics to increase the reach of their attacks.
Although this increased capability may potentially provide the attackers with a broader range of targets to compromise.
Go to Source
Author: Balaji N
