Beyond the British Monarchy: Ransomware Goes Royal

The trials and tribulations of the British royal family are not the only royalty making headlines these days. The Royal ransomware group, believed to have evolved from the notorious and now defunct Conti ransomware group, is making waves across the U.S. and the United Kingdom.

In its heyday, Conti claimed responsibility for multiple high-profile cyber-attacks, including the Costa Rican and Peruvian government systems, several well-known retailers, and the Irish healthcare service. However, Conti saw its operations effectively shut down over the summer of 2022 for a variety of reasons, including receiving too much government attention which had put a target on the group’s back. Many of the group’s members, though, remained at large. And many believe some of those members have formed the Royal group.

Royal started small and focused their attention on attacking the healthcare sector. But more recently, the Royal gang has risen to prominence. So much so that it is being labeled as one of the most active and dangerous ransomware gangs in the world today. To elevate the seriousness of the Royal gang, the Cybersecurity and Infrastructure Security Agency (CISA) released an advisory alerting critical infrastructure providers to review their ransomware prevention and detection strategies and providing insight into the technical details of how Royal members gain access and execute their attacks.

One reason for Royal’s success is the evolution of new techniques and ransomware variants. This makes it much easier for them to infiltrate and infect Linux hosts and VMware ESXi servers, for example. Hence the latest #StopRansomware advisory from CISA that lays out their tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs).

How the Royal Gang Gets Access to Your Enterprise

Some facets of the Royal ransomware variant are unique. But the tactics used to gain initial access to an enterprise are unsurprising. According to CISA, Royal used phishing attacks on two-thirds of its recent victims to gain entry. While there are some technical approaches that can remove phishing emails from the inbox, security awareness training is critical.

Another major attack vector for the Royal gang is to exploit the Remote Desktop Protocol (RDP). CISA found that 13.3% of Royal incidents used RDP for initial access. Other vectors of initial entry include exploitation of public-facing applications (such as a customer or client portal) and harvesting virtual private network (VPN) credentials from stealer logs or using brokers for initial access.

What Happens Under Royal’s Rule

Once Royal gains access to your enterprise, they launch a custom-made file encryption program. The malware disables antivirus software and exfiltrates large amounts of data before deploying ransomware, encrypting systems, and demanding funds. Ransom demands have ranged from $1 million to $11 million.

The most significant tactical shift in Royal ransomware is how files are encrypted to evade detection. Instead of encrypting all the data in all files, which can set off alarms with anomalous traffic patterns, files are only partially encrypted. Current ransomware protection defenses are not architected to spot partial encryption of files. CISA also noted that Royal utilizes double extortion – both demanding a ransom and threatening to publicly release sensitive data if the ransom is not paid.

After gang members have gained a beachhead in the enterprise, they use command and control (C2) infrastructure to download various tools to strengthen their foothold in the victim’s network. They can also take over remote monitoring and management software to move laterally across a network. Further, they can even harness legitimate pen testing tools like Cobalt Strike for data exfiltration.

Protecting Your Organization Against Royal Ransomware Gang

As part of the advisory, CISA issued several recommendations to mitigate cyber threats from ransomware in general, such as enabling and enforcing multifactor authentication, reviewing security awareness training on phishing emails, and more.

With the Royal gang, in particular, organizations should:

  • Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
  • Prioritize remediating known exploited vulnerabilities.
  • Review, monitor, and if possible, disable protocol and port usage.

Royal has proven that they can exploit RDP to gain initial access to enterprises and to infect out-of-date Linux devices to exploit ESXi virtual machines. Because of this, ensuring your endpoints and devices are up to date with the latest patches is critical. Patching can be cumbersome, but it doesn’t have to be difficult. Some patch management solutions provide a three-hour turnaround for the testing and delivery of new patches – and come equipped with technology to send software and patches across the wire once.

Taking your security processes a step further to monitor risky services or ports across your endpoints will only strengthen your security posture. Enterprises with a unified security and endpoint management (USEM) solution can implement these preventive measures quickly. USEM solutions easily discover all devices across your network and enable you to manage and patch any endpoints that are out of date – regardless of whether those devices are running Windows, Linux, or Mac. And, within the same product, you can run a vulnerability scan to identify risky services and ports that may be vulnerable to exploitation. For example, you can see a snapshot below from the Syxsense platform of devices that are running RDP without robust security controls in place.

If your organization is still struggling to manage endpoints, prioritize patching, and unsure if you have weak points that threat actors are looking to exploit, let’s have a conversation. You can schedule a one-on-one demo to find out how to improve your chances against a sophisticated ransomware group like Royal.