man with home made crown on his head

Warning issued over Royal ransomware

As part of its StopRansomware effort, the Cybersecurity and Infrastructure Security Agency (CISA) has published a Cybersecurity Advisory (CSA) about Royal ransomware.

Royal ransomware is a Ransomware-as-a-service (Raas) that first made an appearance in January 2022. In September of that year, it began calling itself Royal ransomware, and then in November it really made a name for itself by boldly taking the lead in our monthly statistics.

After November, it handed back top place to Lockbit, but has remained one of the top five most prevalent ransomware strains. 

According to the CSA, the group behind Royal:

  • Have made ransom demands ranging from approximately $1 million to $11 million USD in Bitcoin.
  • Are known to disable anti-virus software on the affected systems.
  • Have targeted numerous critical infrastructure sectors including manufacturing, communications, healthcare, and education.
  • Steal data from infiltrated networks which they threaten to publicize on their leak site to increase the leverage on the victim.
screenshot Royal leak site
Royal ransomware leak site

The Initial Access Brokers that cater to Royal are reported to gain initial access and source traffic by harvesting virtual private network (VPN) credentials from stealer logs. Other methods that are used to gain initial access to victim networks are:

  • Phishing, by using emails containing malicious PDF documents, and malvertising
  • Remote Desktop Protocol (RDP), by using compromised or brute forcing login credentials
  • Exploiting public-facing applications. This could be through websites or other applications with internet accessible open sockets by exploiting known vulnerabilities or common security misconfigurations.

For those interested, the CSA contains a wealth of Indicators of Compromise (IOCs) and techniques used by Royal to gain persistence and for lateral movement.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Write an incident response plan. The period after a ransomware attack can be chaotic. Make a plan that outlines how you’ll isolate an outbreak, communicate with stakeholders, and restore your systems.

Have a question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.