Warning issued over Royal ransomware

As part of its StopRansomware effort, the Cybersecurity and Infrastructure Security Agency (CISA) has published a Cybersecurity Advisory (CSA) about Royal ransomware.

Royal ransomware is a Ransomware-as-a-service (Raas) that first made an appearance in January 2022. In September of that year, it began calling itself Royal ransomware, and then in November it really made a name for itself by boldly taking the lead in our monthly statistics.

After November, it handed back top place to Lockbit, but has remained one of the top five most prevalent ransomware strains. 

According to the CSA, the group behind Royal:

  • Have made ransom demands ranging from approximately $1 million to $11 million USD in Bitcoin.
  • Are known to disable anti-virus software on the affected systems.
  • Have targeted numerous critical infrastructure sectors including manufacturing, communications, healthcare, and education.
  • Steal data from infiltrated networks which they threaten to publicize on their leak site to increase the leverage on the victim.
Royal ransomware leak site

The Initial Access Brokers that cater to Royal are reported to gain initial access and source traffic by harvesting virtual private network (VPN) credentials from stealer logs. Other methods that are used to gain initial access to victim networks are:

  • Phishing, by using emails containing malicious PDF documents, and malvertising
  • Remote Desktop Protocol (RDP), by using compromised or brute forcing login credentials
  • Exploiting public-facing applications. This could be through websites or other applications with internet accessible open sockets by exploiting known vulnerabilities or common security misconfigurations.

For those interested, the CSA contains a wealth of Indicators of Compromise (IOCs) and techniques used by Royal to gain persistence and for lateral movement.