History & Emergence

The Royal ransomware group is a relatively new player in the world of cybercrime, with its earliest known activity dating back to mid-2022. The group has quickly gained notoriety for its sophisticated tactics and successful attacks on high-profile targets, including governments, healthcare providers, and financial institutions. From all the victims that the group has posted, we have calculated that the Royal Ransomware group has leaked a whopping 249+ Terabytes of data to date.

‍

Starting in or around September 2022, a new variation of the Royal ransomware has been utilized by cybercriminals to infiltrate US and international entities. According to the FBI and CISA, this particular version employs a custom-made encryption program and has evolved from previous versions that utilized "Zeon" as a loader. The Royal ransomware infiltrates the network of its victim and disables any antivirus software present. The attackers then exfiltrate a large quantity of data before initiating the ransomware encryption process. Payment demands ranging from approximately $1 million to $11 million USD in Bitcoin are made by the attackers. Interestingly, initial ransom notes by the Royal ransomware do not contain ransom amounts and payment instructions. Instead, the victims are required to engage with the attackers through a .onion URL accessed via the Tor browser.

‍

Throughout 2022 and early 2023, the Royal ransomware group continued to evolve and refine its tactics, with new variants of its ransomware being discovered on a regular basis. In January 2023, the group made headlines with a massive attack on the city of Dallas, Texas. The attack resulted in significant disruptions to city services, including 911 emergency systems and online payment portals. The group is particularly adept at exploiting vulnerabilities in enterprise software and over time this group has developed its own custom malware and encryption tools.

‍

Trends Observed

Based on the data present in Figure 1, it appears that the Royal Ransomware group has been increasing its attacks on companies over time. The number of targeted companies seems to have risen from 2 in September 2022 to 37 in March 2023.

*Figure 1: Trends in the entities targeted by Royal Ransomware Group*

‍

Additionally, there seems to be a pattern of variability in the number of targeted companies each month. For example, there is a large increase from October to November 2022, and then a smaller increase from November to December. Although there is a decrease in the number of targeted companies from March to April 2023, the trend is on the rise overall. From the data posted about these victims on their PR site, we have also analyzed that the Royal Ransomware Group has targeted companies with a revenue of more than 48 Billion in total to date.

‍

Region Wise Distribution of the Victims

Data from Figure 2 suggests that the majority of the victims of the Royal Ransomware attack are located in the United States, with a total of 106 cases reported. Germany comes in second place with 14 cases reported, followed by Canada with 11 cases. The United Kingdom has 7 reported cases, Brazil with 5, and Italy and France with 3 cases each. The remaining countries have one or two cases each.

‍

*Figure 2: Country-wise breakdown of the victims of Royal Ransomware Group*

‍

It is possible that the United States is the most targeted region by the group due to a variety of factors, such as a large number of businesses and individuals using technology in the country, the high level of internet penetration, or simply the fact that the attackers behind the ransomware have chosen to focus on this region.

‍

Germany and Canada also seem to be significant targets for the Royal Ransomware attack but to a lesser extent than the United States. This may indicate that the attackers are focusing on regions with strong economies or high levels of technological development. However, it is also possible that the number of reported cases in each country is influenced by factors such as the level of cybersecurity awareness, the availability of resources to respond to the attack, and the willingness of victims to report the incident. The fact that countries like Brazil, Italy, and France also appear on the list suggests that the Royal Ransomware attack is not limited to a specific region or group of countries. Instead, it seems to be a global phenomenon affecting businesses and individuals worldwide.

‍

Analysis & Attribution

The Royal ransomware group utilizes various methods to gain initial access to victim networks. The most common tactic is successful phishing emails. Victims unknowingly install malware that delivers Royal ransomware after receiving phishing emails containing malicious PDF documents, or through malvertising.

Another way that the group gains access is through RDP compromise. Additionally, the group has been observed exploiting public-facing applications to gain initial access from the FBI.

There have also been reports indicating that the Royal ransomware group may use brokers to gain initial access and source traffic by harvesting virtual private network (VPN) credentials from stealer logs, according to trusted third-party sources.

In addition to its technical expertise, the Royal ransomware group has also shown a willingness to engage in high-stakes negotiations with its victims. The group has been known to demand multi-million-dollar ransoms and to threaten to leak sensitive data if its demands are not met.

‍

According to a dark web profile published by Socradar, the Royal ransomware group is believed to operate primarily out of Russia and Ukraine. The group has been linked to several other cybercriminal organizations operating in the region and is believed to have strong ties to Russian-speaking cybercriminals.

‍

Mitigations

‍

To enhance the security posture of their organization, businesses can implement several mitigation steps.

Conduct regular audits and monitoring of event and incident logs to identify any unusual patterns or behavior.
Apply security configurations on their network infrastructure devices such as firewalls and routers.
Leverage tools and applications that prevent malicious programs from being executed.
Reset compromised user login credentials and enforce a strong password policy.
Additionally, businesses can enforce data protection, backup, and recovery measures. They can also implement multifactor authentication across devices and platforms.
Regular security skills assessment and training for all personnel can also be helpful.
Conducting periodic red-team exercises and penetration tests can improve the organization's security posture.
Monitoring for any anomalies in user accounts and systems that could indicate a possible takeover is also important.

‍

Indicators of Compromise (IOCs)

‍

Files

A file named 'readme_unlock_files.txt' or 'readme_files_unlock.txt' is dropped in the directories containing the encrypted files

A file named 'royal_info.txt' or 'royal_readme.txt' is dropped on the desktop

A registry key is created with the name 'WindowsUpdate'

A file named '7za.exe' is dropped in the Windows directory

A file named 'decrypt_files_.html' or 'decrypt_files_.txt' is dropped in the directories containing the encrypted files

A file named 'README_FOR_DECRYPT.txt' or 'README_TO_RECOVER_FILES.TXT' is dropped in the directories containing the encrypted files

IPv4
102[.]157[.]44[.]105	185[.]143[.]223[.]69	41[.]97[.]65[.]51
105[.]158[.]118[.]241	185[.]7[.]214[.]218	42[.]189[.]12[.]36
105[.]69[.]155[.]85	186[.]64[.]67[.]6	45[.]227[.]251[.]167
113[.]169[.]187[.]159	186[.]86[.]212[.]138	45[.]61[.]136[.]47
134[.]35[.]9[.]209	190[.]193[.]180[.]228	45[.]8[.]158[.]104
139[.]195[.]43[.]166	193[.]149[.]176[.]157	47[.]87[.]229[.]39
139[.]60[.]161[.]213	193[.]235[.]146[.]104	5[.]181[.]234[.]58
140[.]82[.]48[.]158	196[.]70[.]77[.]11	5[.]188[.]86[.]195
147[.]135[.]11[.]223	197[.]11[.]134[.]255	5[.]44[.]42[.]20
147[.]135[.]36[.]162	197[.]158[.]89[.]85	61[.]166[.]221[.]46
148[.]213[.]109[.]165	197[.]204[.]247[.]7	68[.]83[.]169[.]91
152[.]89[.]247[.]50	197[.]207[.]181[.]147	77[.]73[.]133[.]84
163[.]182[.]177[.]80	197[.]207[.]218[.]27	81[.]184[.]181[.]215
172[.]64[.]80[.]1	197[.]94[.]67[.]207	82[.]12[.]196[.]197
179[.]43[.]167[.]10	209[.]141[.]36[.]116	89[.]108[.]65[.]136
181[.]141[.]3[.]126	23[.]111[.]114[.]52	94[.]232[.]41[.]105
181[.]164[.]194[.]228	41[.]100[.]55[.]97	98[.]143[.]70[.]147
41[.]109[.]11[.]80	41[.]107[.]77[.]67	41[.]251[.]121[.]35

Domains
altocloudzone[.]live	myappearinc[.]com	sombrat[.]com
ciborkumari[.]xyz	parkerpublic[.]com	tumbleproperty[.]com
gororama[.]com	softeruplive[.]com

URLs
hxxps[:]//myappearinc[.]com/acquire/draft/c7lh0s5jv
hxxps[:]//pastebin[.]mozilla[.]org/Z54Vudf9/raw

SHA-1
41a79f83f8b00ac7a9dd06e1e225d64d95d29b1d
585b05b290d241a249af93b1896a9474128da969
65dc04f3f75deb3b287cca3138d9d0ec36b8bea0
a84ed0f3c46b01d66510ccc9b1fc1e07af005c60
c96154690f60a8e1f2271242e458029014ffe30a

SHA-256

08c6e20b1785d4ec4e3f9956931d992377963580b4b2c6579fd9930e08882b1c

19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

216047c048bf1dcbf031cf24bd5e0f263994a5df60b23089e393033d17257cb5

342b398647073159dfa8a7d36510171f731b760089a546e96fbb8a292791efee

4a9dde3979c2343c024c6eeeddff7639be301826dd637c006074e04a1e4e9fe7

4cd00234b18e04dcd745cc81bb928c8451f6601affb5fa45f20bb11bfb5383ce

74d81ef0be02899a177d7ff6374d699b634c70275b3292dbc67e577b5f6a3f3c

82f1f72f4b1bfd7cc8afbe6d170686b1066049bc7e5863b51aa15ccc5c841f58

8a983042278bc5897dbcdd54d1d7e3143f8b7ead553b5a4713e30deffda16375

8a99353662ccae117d2bb22efd8c43d7169060450be413af763e8ad7522d2451

b8c4aec31c134adbdbe8aad65d2bcb21cfe62d299696a23add9aa1de082c6e20

be030e685536eb38ba1fec1c90e90a4165f6641c8dc39291db1d23f4ee9fa0b1

d47d4b52e75e8cf3b11ea171163a66c06d1792227c1cf7ca49d7df60804a1681

f8cff7082a936912baf2124d42ed82403c75c87cb160553a7df862f8d81809ee

Onion Links
hxxp[:]//royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid[.]onion
hxxp[:]//royal4ezp7xrbakkus3oofjw6gszrohpodmdnfbe5e4w3og5sm7vb3qd[.]onion

‍