The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI last week issued a joint advisory on Royal ransomware. Royal is noteworthy for its ability to disable various anti-virus tools in the course of exfiltrating data in its double-extortion attacks.
Royal's operators have also been marked by their willingness to target "numerous critical infrastructure sectors including, but not limited to, manufacturing, communications, healthcare and public healthcare (HPH), and education." The gang has been known to demand ransom payments of between $1 million and $10 million. The advisory includes a comprehensive overview of Royals tactics, techniques, and procedures; of its indicators of compromise; and of mitigations that organizations can deploy to help them weather an attack with Royal ransomware.
Royal captures the majority of its victims through phishing. “According to third-party reporting,” CISA and the FBI say, “Royal actors most commonly (in 66.7% of incidents) gain initial access to victim networks via successful phishing emails.” The malicious payload is most often carried inside PDF files that arrive as an attachment to those phishing emails. The ransomware has also been observed to arrive in the form of malvertising.
Once the threat actors have obtained access to the victims’ network, they establish persistence and move laterally across those networks to get to the data they find valuable. “Royal actors exfiltrate data from victim networks by repurposing legitimate cyber pentesting tools, such as Cobalt Strike, and malware tools and derivatives, such as Ursnif/Gozi, for data aggregation and exfiltration. According to third-party reporting, Royal actors’ first hop in exfiltration and other operations is usually a U.S. IP address.”
Once they’ve exfiltrated what they want, they begin the process of encrypting the victims’ files, and once the files are encrypted, the gang delivers its ransom demand. “FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office, or CISA at https://www.cisa.gov/report.”
The advisory contains many valuable suggestions for policies, practices, and technical defenses that can help armor any organization against ransomware, and they’re well worth your time to review. It’s also worth pointing out that an administrator or a user whose mind is prepared will also prove an invaluable shield, and new school security awareness training can help prepare those minds.
CISA and the FBI have the story.