New CISA And FBI Advisory Provides Insights Into Royal Ransomware Gang Tactics

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) recently published a joint cybersecurity advisory as part of the #StopRansomware initiative. This advisory details the tactics, techniques, and procedures (TTPs) of the Royal ransomware gang, as well as recently and historically observed indicators of compromise (IOCs), to help organizations guard against ransomware attacks.

According to the joint cybersecurity advisory, since September 2022, US and international organizations have been compromised by a variant of the Royal ransomware. Royal ransomware is believed to be operated by a group of highly-experienced cybercriminals, including those that formerly belonged to Conti Team One. This team had previously developed the Ryuk ransomware, which had been actively attacking for the past three years. Royal began using their own encryption methods in September of 2022 and has become the most dominant ransomware actor in the market, overtaking Lockbit.

The Royal ransomware variant has its own tailored file encryption program which gives the actor the ability to pick the ultimate number of data in a file to be encrypted. This enables the actor to decrease the encryption rate in bigger files and as a result helps conceal itself from detection. As well as encrypting files, Royal actors partake in double extortion procedures whereby they warn to expose the encrypted data if the victim fails to pay up.

Once Royal actors are able to gain entrance to victim networks through techniques like phishing, taking advantage of faulty public-facing applications, and using brokers to find VPN credentials from stealer logs, they will make contact with command and control infrastructure and download a variety of tools. To establish their presence in the network, they often use modified legitimate Windows software. Navigating the network afterwards is typically done through RDP and they make use of programs like AnyDesk, LogMeIn, and Atera to persistently remain in the network.

Before engaging in the encryption process, Royal actors utilize Windows Restart Manager to check if targeted files are being used or blocked by other applications. In order to execute the ransomware, they create batch files to create a new administrative user, update the group policy, set appropriate registry keys to initiate auto-extraction, observe the encryption process, and remove files once it is over, such as the Application, System, and Security event logs. They also use the Windows Volume Shadow Copy service (vssadmin.exe) to erase all shadow copies to stop system recovery.

This joint cybersecurity advisory offers strategies to stop potential adversaries from taking advantage of common system and network detection methods and minimize the likelihood of Royal ransomware attacks. These strategies align with CISA’s Cybersecurity Performance Goals (CPGs), which incorporate the most common, destructive threats, tactics, methods, and processes and put forth objectives that all entities in critical infrastructure sectors should carry out.

The joint advisory recommends implementing a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location. It also recommends using longer passwords consisting of at least 8 characters and no more than 64 characters in length, requiring multifactor authentication, and keeping all operating systems, software, and firmware up to date. Network segmentation can also help to prevent the spread of ransomware by limiting lateral movement across the network as well as the implementation of an effective patch management program to help close vulnerabilities that could be exploited by threat actors.

In addition, the joint advisory suggests that organizations enable strong spam filters and email scanning to reduce the risk of phishing attacks. User awareness training can help educate employees on how to identify and report suspicious emails or messages, and organizations can also limit the number of users with domain administrator privileges to reduce the attack surface. To protect against RDP attacks, organizations can require strong passwords, limit the number of remote connections, and use network-level authentication.