Coping With “Double-Extortion” Royal Ransomware

Ransomware Attacks TargetingThe US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI last week issued a joint advisory on Royal ransomware. Royal is noteworthy for its ability to disable various anti-virus tools in the course of exfiltrating data in its double-extortion attacks. 

Royal's operators have also been marked by their willingness to target "numerous critical infrastructure sectors including, but not limited to, manufacturing, communications, healthcare and public healthcare (HPH), and education." The gang has been known to demand ransom payments of between $1 million and $10 million. The advisory includes a comprehensive overview of Royals tactics, techniques, and procedures; of its indicators of compromise; and of mitigations that organizations can deploy to help them weather an attack with Royal ransomware.

Royal captures the majority of its victims through phishing. “According to third-party reporting,” CISA and the FBI say, “Royal actors most commonly (in 66.7% of incidents) gain initial access to victim networks via successful phishing emails.” The malicious payload is most often carried inside PDF files that arrive as an attachment to those phishing emails. The ransomware has also been observed to arrive in the form of malvertising.

Once the threat actors have obtained access to the victims’ network, they establish persistence and move laterally across those networks to get to the data they find valuable. “Royal actors exfiltrate data from victim networks by repurposing legitimate cyber pentesting tools, such as Cobalt Strike, and malware tools and derivatives, such as Ursnif/Gozi, for data aggregation and exfiltration. According to third-party reporting, Royal actors’ first hop in exfiltration and other operations is usually a U.S. IP address.”

Once they’ve exfiltrated what they want, they begin the process of encrypting the victims’ files, and once the files are encrypted, the gang delivers its ransom demand. “FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office, or CISA at”

The advisory contains many valuable suggestions for policies, practices, and technical defenses that can help armor any organization against ransomware, and they’re well worth your time to review. It’s also worth pointing out that an administrator or a user whose mind is prepared will also prove an invaluable shield, and new school security awareness training can help prepare those minds.

CISA and the FBI have the story.

A Master Class on IT Security: Roger Grimes Teaches Ransomware Mitigation

Cyber-criminals have become thoughtful about ransomware attacks; taking time to maximize your organization’s potential damage and their payoff. Protecting your network from this growing threat is more important than ever

RogerMasterClass-FeatureImage (1) (1)
Join Roger Grimes, Data-Driven Defense Evangelist at KnowBe4,  for this thought-provoking webinar to learn what you can do to prevent, detect, and mitigate ransomware. You'll learn:

  • How to detect ransomware programs, even those that are highly stealthy 
  • Official recommendations from the Cybersecurity & Infrastructure Security Agency (CISA)
  • The policies, technical controls, and education you need to stop ransomware in its tracks
  • Why good backups (even offline backups) no longer save you from ransomware

Watch Now

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Topics: Ransomware

Subscribe To Our Blog

Free Phishing Security Resource Kit

Get the latest about social engineering

Subscribe to CyberheistNews