On March 2nd, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint Cybersecurity Advisory (CSA) – #StopRansomware: Royal Ransomware.
We highly encourage everyone in a security role to read the Advisory, as it contains recent and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Royal ransomware.
To further help organizations deal with this highly relevant threat, we’d like to share some of SecurityScorecard’s own research on Royal ransomware.
How does Royal ransomware operate?
Royal ransomware was first discovered in September 2022. It has since impacted over 70 organizations worldwide, most in the United States and Brazil.
Royal’s coding and infrastructure are unavailable to outside actors, so they don’t operate with the common Ransomware-as-a-Service (RaaS) model. Instead, the Royal gang relies on double extortion. The threat actors encrypt the data and threaten to delete it or sell it on the dark web. Royal has a dark web site where the victims are published.
Royal primarily targets top-tier organizations, including critical infrastructure. The ransomware has affected several critical U.S. sectors, including healthcare and manufacturing. The gang demands large ransoms ranging from $250,000 to $2 million.
Royal threat actors use social engineering and malicious advertising (malvertising) to get into systems. Social engineering attempts range from phishing emails containing malicious links to elaborate callback schemes, where victims are instructed to call the threat actors. Victims are then lured into installing remote access software.
In October 2022, Microsoft found Royal operators using Google Ads to redirect users to a download site with malicious files.
SecurityScorecard research on Royal ransomware
SecurityScorecard was the first cybersecurity company to publish a detailed analysis of Royal ransomware. Our analysis was published in November 2022, two months after the malware was first observed by security researchers. The analysis can aid in the detection and mitigation of this potential threat.
The malware is a 64-bit unpacked executable. It deletes all Volume Shadow Copies by spawning a vssadmin.exe process. This prevents users from recovering deleted files stored on their machine. Then, it encrypts the files found in the network shares and local drives.
The files are encrypted using the AES algorithm (OpenSSL), with the key and IV being encrypted using the RSA public key that is hard-coded in the executable. The malware can fully or partially encrypt a file based on the file’s size and the “-ep” parameter. The extension of the encrypted files is changed to “.royal”.
Royal avoids specific file extensions and folders, such as .exe, .dll, .bat, and others.
A ransom note called “README.txt” is created in every drive.
Image from our technical analysis showing how the ransom note is created
The three indicators of compromise (IOCs) for Royal ransomware are:
- The hash associated with the Royal ransomware
- SHA-256 f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429
- Process spawned
- C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
- The ransom note
- README.txt file
For the full details of our analysis, please read our whitepaper.
Royal ransomware targeting ESXi servers
Another focus for SecurityScorecard researchers was the malicious activity exploiting a VMWare ESXi vulnerability. SecurityScorecard released a list of IP addresses communicating with possible targets, which you can find in the appendix of this report. Malicious actors are exploiting an ESXi vulnerability patched in November 2021, so we highly recommend everyone to update their VMWare ESXi software to the latest version.
SecurityScorecard’s Attack Surface Intelligence (ASI) tool reveals that ESXi is fairly widespread, detecting some version of it in use at 139,491 IP addresses worldwide
Royal ransomware was among the groups targeting vulnerable organizations, as noted in research circulating on February 5th. SecurityScorecard published a technical analysis on how Royal encrypts ESXi servers.
The malware powers off all virtual machines using the esxcli tool. The malware code includes a list of files that shouldn’t be encrypted. The ransomware avoids files containing the following strings: “.royal_u”, “.royal_w”, “.sf”, “.v00”, “.b00”, “royal_log_”, and “readme”.
As with the Windows version, the files are encrypted using the AES algorithm, with the key and IV being encrypted using the RSA public key that is hard-coded in the executable. The process can partially encrypt a file depending on its size and the value of the “-ep” parameter. The extension of the encrypted files is changed to “.royal_u”.
The ransomware calls a function named “prepare_file” for all files to be encrypted, as shown in this image:
The indicators of compromise (IOCs) are:
- The hash
- SHA256 06abc46d5dbd012b170c97d142c6b679183159197e9d3f6a76ba5e5abf999725
- Processes spawned
- esxcli vm process list > list
- esxcli vm process kill –type=hard –world-id=<World ID>
- The ransom note
- readme.txt file
For the full details of our analysis, please read our whitepaper.
Protect your organization with SecurityScorecard
SecurityScorecard’s threat research and intelligence services could be the competitive advantage organizations need to stay ahead of fast-moving threat actors like Royal Ransomware.
For more custom insights from our team with 100+ years of combined threat research and investigation experience or more details on these findings, please contact us to discuss our Cyber Risk Intelligence as a Service (CRIaaS) offering. Our team can provide on-hand support by working with on-site staff.If you’ve suffered a cyber incident, our Incident Response and Digital Forensics offering can help you quickly identify, investigate, and contain the threat. Speak with an expert today to find out the full scope of our capabilities.
