The FBI and CISA have disclosed in a collaborative advisory that the Royal ransomware group has infiltrated the networks of at least 350 organizations globally since September 2022. This updated advisory, which builds upon the original release in March, includes additional insights obtained during FBI investigations. It highlights that the ransomware operation has been associated with over $275 million in ransom demands. The advisory emphasizes that Royal engages in data exfiltration and extortion before encryption, and in cases where the ransom is not paid, the group publishes victim data to a leak site. Notably, phishing emails have been identified as one of the most successful methods for initial access by Royal threat actors.
In March, the FBI and CISA initially shared indicators of compromise and a list of tactics, techniques, and procedures (TTPs) to aid defenders in detecting and thwarting attempts to deploy Royal ransomware payloads on their networks. The joint advisory was issued subsequent to the Department of Health and Human Services (HHS) security team’s revelation in December 2022 that the ransomware operation was responsible for multiple attacks against U.S. healthcare organizations.
The updated advisory provides network defenders with additional information on tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Royal ransomware variants. It encourages network defenders to review the updated advisory and apply the included mitigations to protect against ransomware attacks. The FBI and CISA recommend implementing the recommendations found in the Mitigations section of the advisory to reduce the likelihood and impact of ransomware incidents. The advisory also includes technical details and indicators of compromise (IOCs) associated with Royal ransomware variants identified through FBI threat response activities as recently as June 2023. It is important for organizations to vet or investigate the observed IP addresses prior to taking action such as blocking. Additionally, the advisory uses the MITRE ATT&CK® for Enterprise framework, version 13, to provide technical details and guidance for defenders.
Royal to BlackSuit?
The recent advisory update also indicates the potential for a rebranding effort or the emergence of a spinoff variant by Royal, with the BlackSuit ransomware displaying coding characteristics that are shared with Royal. According to a report by BleepingComputer in June, the Royal ransomware group has been experimenting with a new BlackSuit encryptor, which exhibits numerous similarities with the typical encryptor used by the group. Despite initial expectations of a rebranding of the Royal ransomware operation since the emergence of the BlackSuit ransomware in May, this transition did not materialize. As of now, Royal continues to actively target enterprise organizations using BlackSuit in limited attacks.
Given that BlackSuit operates as a distinct entity, it is speculated that Royal might be considering the launch of a subgroup focused on specific types of victims, as rebranding no longer seems viable following the discovery of similarities between the two encryptors. Yelisey Bohuslavskiy, Partner and Head of R&D at RedSense, expressed the belief that there may be further developments similar to BlackSuit in the future. However, it appears that both the new loader and the new Blacksuit locker were unsuccessful experiments, as stated to BleepingComputer.
Connections of the Conti cybercrime group
Royal Ransomware is a private operation of highly skilled threat actors who have previously worked with the infamous Conti cybercrime gang. Although the group was first detected in January 2022, their malicious activities have only intensified since September of the same year. Initially, the group used ransomware encryptors from other operations like ALPHV/BlackCat, likely to avoid drawing attention, but they have since shifted to deploying their own tools. The group’s first encryptor, Zeon, dropped ransom notes similar to those generated by Conti, but they switched to the Royal encryptor after undergoing a rebranding in mid-September 2022. More recently, the malware has been upgraded to encrypt Linux devices in attacks targeting VMware ESXi virtual machines.
Royal operators typically infiltrate targets’ networks by exploiting security vulnerabilities in publicly accessible devices, but they are also known for callback phishing attacks. During these attacks, when targets dial the phone numbers embedded in emails cleverly disguised as subscription renewals, the attackers leverage social engineering tactics to trick the victims into installing remote access software, granting them access to the targeted network. The modus operandi of Royal operators involves encrypting their targets’ enterprise systems and demanding substantial ransoms ranging from $250,000 to tens of millions per attack.
Royal ransomware is a highly sophisticated and quickly evolving malware strain that has earned a lucrative big game hunting spree of breaches in 2022. The group does not operate as a Ransomware-as-a-Service but is instead a private group without affiliates. The group purchases direct access to corporate networks from underground Initial Access Brokers (IABs) and manages the attack campaigns internally. The group frequently employs double extortion tactics, extorting victims for deleting stolen data after threatening to make it public, in addition to ransom demands for the decryption of infected files.