Royal Ransomware

What Is Royal Ransomware?

Royal Ransomware is a highly sophisticated and quickly evolving malware strain first observed in early 2022. A lucrative big game hunting spree of breaches in 2022 earned Royal a ranking among the most prolific and menacing ransomware campaigns of the year. In November 2022 alone, the Dev-0569—the ransomware gang that operates Royal—added 43 new victims, demanding between $250,000 and $2 million per compromise. Dev-0569’s enterprise victims have included Silverstone Circuit, the UK’s most popular racing circuit; Travis Central Appraisal District, a Texas state government entity; and an unnamed, major US telecom that was hit with a $60 million ransom demand. 

Dev-0569 is a private group of elite threat actors primarily seeking financial gain by extorting large enterprise victims. Analysis of Royal attack patterns has drawn comparisons to other apex ransomware gangs Conti and Ryuk, indicating that Royal operators have splintered away from other cyber-crime operations. Rather than selling Royal as a ransomware-as-a-service (RaaS), Dev-0569 purchases direct access to corporate networks from underground Initial Access Brokers (IABs) and manages the attack campaigns internally. Dev-0569 also frequently employs double extortion tactics—extorting victims for deleting stolen data after threatening to make it public—in addition to ransom demands for the decryption of infected files. 

How Royal Ransomware Works

Royal ransomware operators collude with IABs to gain initial access, meaning Royal attacks could begin with a wide array of well-known first-stage tactics and payloads. Royal attacks have included abusing business website contact forms to spread malicious links, enticing victims with trojanized malware files hosted on authentic-looking download sites, and malvertising using Google Ads. 

Another signature technique used in Royal attacks is using fake software trial expiry alerts to scare victims into calling a customer service phone number operated by threat actors that trick victims into installing malware directly. Using a company’s contact form against itself allows the attackers to bypass basic spam filters since website contact form messages are usually sent via a company’s email address, thus appearing trustworthy to spam filters. 

Once Royal ransomware operators gain a foothold on a target network, they employ a wide range of advanced exploitation tactics and techniques, including:

  • Installing Cobalt Strike pen-testing toolkit for command and control (C2) on a victim’s system
  • Deploying open source tool Nsudo, PowerShell scripts (.ps1), and batch scripts (.bat) to disable endpoint antivirus products
  • Harvesting credentials from infected hosts for use in lateral movement through a network and compromising cloud service accounts
  • Importing signed binaries and encrypted malware payloads from domains with legitimate TLS certificates to avoid triggering content filter alerts
  • Installing other known malware strains, such as QakBot, Gozi, and Vidar, on a victim’s systems
  • Similar to other sophisticated ransomware, Royal deletes “shadow copies” that provide point-in-time backups of files
  • Using signed MSI or VHD files to download additional second-stage payloads such as ‘BATLOADER’ malware

Royal’s final-stage encryption module is a 64-bit executable written in C++ designed for execution on Windows systems. The Royal encryption module initially borrowed the encryption module from BlackCat ransomware, but in September 2022, Royal began using a novel encryption module known as “Zeon.” Zeon is a highly multi-threaded process that queries the target’s CPU core count and spawns twice the number of threads to encrypt the victims’ files as quickly as possible


What a Royal Ransomware Attack Looks Like

The most obvious sign of a Royal ransomware attack is the “.royal” or “.royal_w” file extensions appended to filenames after they have been encrypted and a “README.TXT” blackmail note in each directory containing ransomed files. Royal campaigns are similar to those used in Conti ransomware attacks, and Royal’s Sigma rules also match those used to identify Ryuk and Conti ransomware. 

How to Prevent a Royal Ransomware Attack

Defensive tactics that effectively prevent a successful Royal ransomware attack are similar to tactics used to prevent other malware, such as:

  • Consider user awareness training to educate personnel about phishing techniques and develop standard operating procedures (SOP) for handling suspicious emails and documents
  • Configure email clients to notify users when emails originate from outside the organization
  • Get your software from only legitimate sources, such as a mobile device’s built-in app store or the software vendor’s website
  • Implement a reliable backup strategy with well-protected offline backups and practice disaster recovery procedures to ensure target mean-time-to-recovery (MTTR) targets can be met
  • Conduct regular vulnerability scanning and penetration testing of all network infrastructure and remediate any discovered vulnerabilities as soon as possible
  • Ensure Office applications are configured with Disable all macros without notification or Disable all except digitally signed macros 
  • Require strong passwords and multi-factor authentication (MFA) for all remote access services and ensure all default passwords are changed 
  • Segment critical networks and add network intrusion detection and prevention systems (IDPS) to monitor network activity for anomaly behavior 
  • Install and configure endpoint security products that will scan encrypted documents immediately after they are unencrypted 
  • Implement Zero Trust solutions wherever possible, giving priority to critical systems

CylanceOPTICS Prevents Ransomware Attacks

 CylanceOPTICS® provides on-device threat detection and remediation using artificial intelligence (AI) to prevent security incidents with root cause analysis, smart threat hunting, and automated detection and response capabilities. Our Endpoint Detection and Response (EDR) approach effectively eliminates response latency. It can be the difference between a minor security incident and a widespread, uncontrolled event.