Ransomware, Critical Infrastructure Security, Threat Management

Royal ransomware attacks spreading across critical infrastructure

Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol. 3d rendering.

Critical infrastructure sectors like education, communications, healthcare, and manufacturing are being urged to ramp up defenses, in light of the ongoing spate of Royal ransomware cyberattacks.

A new Cybersecurity and Infrastructure Security Agency alert sheds light on the group’s latest tactics and recommended defense measures to prevent the chance of exploit. The alert contains the most recently observed tactics used by Royal ransomware, identified by the FBI in January.

The CISA intelligence joins an earlier alert from the Department of Health and Human Services, warning the human-operated ransomware attacks are highly targeting the healthcare sector, after a three-month increase in the rate of attacks and ransom demands as high as $2 million.

The latest demands have ranged from about $1 million to $11 million in Bitcoin. Royal threat actors do not, however, include the ransoms as part of the initial ransom note. Instead, victims are required to interact with the actors via a .onion URL.

Network defenders should prioritize patching known and exploited vulnerabilities, reaffirm workforce training around phishing attacks, and enforce multi-factor authentication where possible.

The latest insights detail the actors’ use of a custom-made file encryption program, which appears to have evolved from earlier interactions that relied on Zeon as a loader. Trend Micro research shows it’s likely Royal is a rebrand of Zeon, previously linked to Conti Team One. Each of these groups and variants have highly targeted critical infrastructure entities.

Royal tactics are similar to other ransomware techniques. After gaining a foothold onto the network, the actors disable antivirus software and exfiltrate large amounts of data prior to the ransomware deployment. Data is exfiltrated “by repurposing legitimate cyber pen-testing tools, such as Cobalt Strike, and malware tools and derivatives, such as Ursnif/Gozi.”

Primary access methods include phishing emails with malicious PDF documents, used in the majority of attacks. The second most common attack vector is Remote Desktop Protocol (RDP) compromise, followed by exploiting public-facing applications and the use of brokers to gain initial access and source traffic to harvest virtual private network (VPN) credentials.

Once access is obtained, Royal members use repurposed, legitimate Windows software to strengthen their foothold on the network. Researchers have also observed the group using open-source projects to aid intrusion activities, including Chisel, a tunneling tool.

The FBI has observed multiple Qakbot C2s used in Royal attacks, as well. But officials have not determined whether the group exclusively uses Qakbot C2s.

Royal moves laterally across the network, sometimes relying on PsExec to support lateral movement. The FBI has also seen the group using remote monitoring and management (RMM) software like AnyDesk or LogMeIn to establish persistence on victims’ networks. 

Researchers have also observed the group moving laterally to the domain controller, and in one example, Royal used a legitimate admin account to remotely log on to the domain controller, then deactivated antivirus protocols by modifying Group Policy Objects.

What’s unique about Royal tactics is the use of a partial encryption approach, allowing the attackers to select a specific percentage of data in a file to encrypt in an effort to evade detection. CISA and researchers have also observed the group using double extortion tactics.

The group has also been observed deleting shadow copies to prevent system recovery.

The FBI and CISA encourage critical infrastructure entities to implement the recommended mitigation measures, outlined in great detail in the industry alert to reduce the likelihood and impact of Royal ransomware and other similar threats. The alert also contains a list of known indicators of compromise.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.