{"id":88651,"date":"2023-04-04T09:00:00","date_gmt":"2023-04-04T09:00:00","guid":{"rendered":"https:\/\/cloudnewshub.com\/?p=88651"},"modified":"2023-04-04T09:00:00","modified_gmt":"2023-04-04T09:00:00","slug":"threat-researchers-dissect-anatomy-of-a-royal-ransomware-attack","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=88651","title":{"rendered":"Threat researchers dissect anatomy of a Royal ransomware attack"},"content":{"rendered":"
<\/div>\n

Trellix researchers have shared the details of a Royal ransomware<\/a> attack on one of its customers, revealing insight into the tactics, techniques and procedures (TTPs) employed by one of the world\u2019s most active and dangerous ransomware operations.<\/p>\n

Royal ransomware was first detected in January of 2022 but the group ramped up its activity from September onwards. It has since become a widespread and dangerous threat and the subject of warnings from US authorities<\/a>.<\/p>\n

According to Trellix\u2019s latest telemetry, so far in 2023 the majority of detections of Royal have been seen in Turkey, but the United States and Ireland have also been heavily victimised. The operation is also actively targeting organisations across Western Europe, Brazil, India, Japan, South Africa, Thailand, the United Arab Emirates and Ukraine. The UK seems to be less targeted at present.<\/p>\n

The operation likely includes former members of the Conti cartel, which split amid recriminations almost a year ago<\/a>, after disgruntled members upset at its declaration of support for Russia\u2019s invasion of Ukraine leaked the gang\u2019s data.<\/p>\n

As a result of absorbing these individuals, Royal was able to significantly amp up its own technical abilities. Among other things it switched lockers from BlackCat to Zeon, before developing and deploying its own, which contains some similarities to Conti\u2019s<\/p>\n

Perhaps the most notable commonality is Royal\u2019s \u201cchunk-based\u201d encryption, a granular approach to encryption that allows a ransomware operator to encrypt a certain percentage of each file. This means Royal can choose between a faster, yet more insecure, approach to extortion or a slower, yet more secure, approach.<\/p>\n

In the first instance, the ransomware operator can carry out their attack more quickly and potentially avoid triggering anti-ransomware products, but the risk inherent is that victim may be able to recover their files more easily themselves or work out what they are missing and thus resist the extortion demand.<\/p>\n

In the second scenario, the victim will find it harder, if not impossible, to get their data back, but the files take longer to encrypt and the more involved process risks triggering defence mechanisms.<\/p>\n

In a similar fashion to Conti, the gang also sees itself as a professional penetration testing operation<\/a> running a useful service (albeit an unscheduled and unrequested one).<\/p>\n

An example of its current ransom note shared by Trellix highlights this attitude. It reads: \u201cRoyal offers you a unique deal. For a modest royalty (got it; got it?) for our pentesting services we will not only provide you with an amazing risk mitigation service, covering you from reputational, legal, financial, regulatory, and insurance risks, but will also provide you with a security review for your systems.<\/p>\n

\u201cTo put it simply, your files will be decrypted, your data restore [sic] and kept confidential, and your systems will remain secure. Try Royal today and enter the new era of data security! We are looking to hearing from you soon!\u201d<\/p>\n

Trellix researchers Alexandre Mundo and Max Kersten wrote in their summing up<\/a>:\u201cThe Royal Ransom is actively used, as highlighted by the incident response case.<\/p>\n

\u201cAdditionally, the ransomware\u2019s encryption scheme seems to be implemented properly. As such, recent back ups or a decryptor are the only ways to recover lost files. The chunk-based encryption speeds up the encryption process while still ensuring files aren\u2019t recoverable.<\/p>\n

\u201cThe re-use of features between ransomware groups, such as Royal Ransom and Conti in this alleged case, gives food for thought with regards to gangs collaborating, or gang members joining different \u2013 or additional \u2013 gangs.<\/p>\n

\u201cBluntly put, the evolution of one gang\u2019s ransomware is bound to influence other ransomware gangs, which affects any organisation that is targeted. As such, it is important to stay on top of changes and improve the security posture where required.\u201d<\/p>\n

\n

<\/i>Case study<\/h3>\n

The anonymised Royal victim found their systems encrypted in late 2022. The entire process, from initial access by the gang, to the execution of the locker, unfolded over a three-day period.<\/p>\n

In this instance, Royal used a simple phishing email to obtain initial access, basing its correspondence on hijacking an existing and previously benign thread, and lacing its interjection with a malicious attachment in the form of an HTML file.<\/p>\n

When opened by an employee, the HTML file prompted a notice exploiting Adobe branding to pop-up. This notice told the victim that the file could not be correctly displayed, and to download a file to view it. It also included a password to the archive for the download.<\/p>\n

The archive itself contained an ISO image which, when mounted, contained several files, a shortcut (LNK) file, a hidden folder with a decoy, a batch file, and a Qbot payload \u2013 Qbot or Qakbot<\/a> is a banking trojan turned infostealer and frequently tops the most observed malware \u2018charts\u2019<\/a>. The batch scripted coped Qbot to the victim\u2019s temporary folder and executed the payload from the mounted drive.<\/p>\n

From here, using the Run registry agency<\/a>, Qbot established persistency in the startup order and was able to execute every time the compromised machine started.<\/p>\n

Approximately four hours later, Cobalt Strike<\/a>, the red-teaming tool that has become a perennial favourite among cyber criminals, made its appearance and was installed as a service on a domain controller which Royal had compromised using the pass-the-hash technique<\/a> to move laterally. They also used additional tools, including AdFind, to enumerate the Active Directory (AD) network.<\/p>\n

To escalate their privileges at this stage, Royal used a User Account Control (UAC) bypass<\/a> technique based on a specific race condition in the Windows 10 Disk Cleanup tool<\/a> in which a dynamic link library (DLL) hijack can lead to arbitrary code execution with heightened privileges.<\/p>\n

Royal used these privileges to run a PowerShell command and launch the PowerSploit<\/a> post-exploitation framework via Cobalt Strike\u2019s service on port 11925. In this case, it downloaded and executed the PowerView module.<\/p>\n

With its foothold established, Royal laid low for a day before using the MEGAsync tool<\/a> \u2013 a legitimate tool that enables syncing with MEGA Cloud Drives<\/a> to download and steal approximately 25 gigabytes of data. A few hours later, they executed the ransomware \u2013 notable for its name which was specifically tailored to the victim\u2019s name, demonstrating Royal\u2019s human-operated nature.<\/p>\n

The whole process was remarkably quick, according to Mundo and Kersten. They said: \u201cAll in all, the quick turnaround from initial infection into a fully compromised environment shows why it is important to be on top of things from a blue team point of view.\u201d<\/p>\n

More information on Royal\u2019s current operation, including in-depth technical details, indicators of compromise (IoCs), and a new Yara rule that can be used to detect both the Windows and Linux locker variants, is available from Trellix<\/a>.<\/p>\n<\/section>\n","protected":false},"excerpt":{"rendered":"

Trellix researchers have shared the details of a Royal ransomware attack on one of its customers, revealing insight into the tactics, techniques and procedures (TTPs) employed by one of the world\u2019s most active and dangerous ransomware operations. Royal ransomware was first detected in January of 2022 but the group ramped up its activity from September […]<\/p>\n","protected":false},"author":1,"featured_media":88652,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[533],"tags":[],"class_list":["post-88651","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-it"],"_links":{"self":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/88651","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=88651"}],"version-history":[{"count":0,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/88651\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/media\/88652"}],"wp:attachment":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=88651"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=88651"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=88651"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}