The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued an alert to warn organizations of the increasing threat posed by the Royal ransomware. This malicious software has been used in attacks since September 2022, targeting organizations in numerous sectors, including critical infrastructure, communications, education, healthcare and public healthcare (HPH), and manufacturing. Royal ransomware uses its own file encryption program and exfiltrates large amounts of data to engage in double extortion.
The Royal ransomware operators have been observed making ransom demands ranging between $1 million and $11 million, in Bitcoin. In order to gain initial access, the hackers rely on phishing and remote desktop protocol (RDP) attacks, as well as exploiting vulnerabilities in public-facing applications and initial access brokers. After compromising a network, the threat actors use malicious tools such as Chisel for C&C communication, PsExec for lateral movement, Cobalt Strike, Ursnif/Gozi, and remote monitoring and management (RMM) software such as AnyDesk, Atera, and LogMeIn for persistence and data harvesting. What’s more, they use Windows Restart Manager to identify whether files are in use and the Windows Volume Shadow Copy service to delete shadow copies, preventing victims from restoring their data.
Organizations are advised to implement and maintain a recovery plan that includes keeping multiple, separate backups of their data, securing accounts with strong and unique passwords, implementing multi-factor authentication, network segmentation, using network monitoring tools, auditing accounts and disabling unused ports and services, and keeping all software and operating systems updated.
In conclusion, the Royal ransomware is a serious threat to organizations of all sizes and industries. The FBI and CISA have released an alert to warn of the danger posed by this malicious software, and organizations are advised to take the necessary steps to protect their networks and data.
• The Royal ransomware has been used in attacks since September 2022
• It uses its own file encryption program and exfiltrates large amounts of data
• The ransom demands range between $1 million and $11 million, in Bitcoin
• Organizations are advised to keep multiple, separate backups of their data and secure accounts with strong and unique passwords
• They should also implement multi-factor authentication, network segmentation, network monitoring tools, and keep all software and operating systems updated