CISA, FBI issue advisory detailing known Royal ransomware IOCs, TTPs found in recent threat response activities
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published on Thursday a joint cybersecurity advisory that disseminates known Royal ransomware IOCs and tactics, techniques, and procedures (TTPs) identified through FBI threat response activities as recently as January 2023. The hacker group has targeted numerous critical infrastructure sectors including, but not limited to, manufacturing, communications, healthcare and public healthcare (HPH), and education.
“Since approximately September 2022, cyber criminals have compromised U.S. and international organizations with a Royal ransomware variant. FBI and CISA believe this variant, which uses its own custom-made file encryption program, evolved from earlier iterations that used ‘Zeon’ as a loader,” the advisory said. “After gaining access to victims’ networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems. Royal actors have made ransom demands ranging from approximately $1 million to $11 million USD in Bitcoin.”
In observed incidents, Royal actors do not include ransom amounts and payment instructions as part of the initial ransom note, the advisory disclosed. “Instead, the note, which appears after encryption, requires victims to directly interact with the threat actor via a [dot}onion URL (reachable through the Tor browser),” it added.
The CISA-FBI advisory said that the Royal ransomware uses a unique partial encryption approach that allows the threat actor to choose a specific percentage of data in a file to encrypt. This approach allows the actor to lower the encryption percentage for larger files, which helps evade detection. Apart from encrypting files, Royal actors also engage in double extortion tactics in which they threaten to publicly release the encrypted data if the victim does not pay the ransom.
The advisory follows an alert issued in December by the U.S. Department of Health & Human Services Health Sector Cybersecurity Coordination Center (HC3), which provided details of human-operated Royal ransomware, initially observed last year and now increased in appearance. It has demanded ransoms up to millions of dollars. Since its appearance, HC3 has been aware of attacks against the healthcare and public health (HPH) sector.
The security agencies outline that Royal actors gain initial access to victim networks using phishing, remote desktop protocol (RDP), public-facing applications, and brokers. Citing third-party reporting, the advisory said that Royal hackers most commonly, in 66.7 percent of incidents, gain initial access to victim networks via successful phishing emails. Quoting open-source reporting, the CISA-FBI advisory identified that victims have unknowingly installed malware that delivers Royal ransomware after receiving phishing emails containing malicious PDF documents, and malvertising.
The advisory said that the second most common vector used by Royal hackers in 13.3 percent of incidents for initial access is RDP compromise. FBI has also observed Royal actors gain initial access through exploiting public-facing applications. Lastly, reports from trusted third-party sources indicate that Royal hackers may leverage brokers to gain initial access and source traffic by harvesting virtual private network (VPN) credentials from stealer logs.
“Once Royal actors gain access to the network, they communicate with command and control (C2) infrastructure and download multiple tools,” the advisory said. “Legitimate Windows software is repurposed by Royal operators to strengthen their foothold in the victim’s network. Ransomware operators often use open-source projects to aid their intrusion activities; Royal operators have recently been observed using Chisel, a tunneling tool transported over HTTP and secured via SSH, to communicate with their C2 infrastructure.”
The advisory added that the FBI has observed multiple Qakbot C2s used in Royal ransomware attacks, but has not yet determined if Royal ransomware exclusively uses Qakbot C2s.
The agencies also disclosed that Royal hackers often use RDP to move laterally across the network. Microsoft Sysinternalstool ‘PsExec’ has also been used to aid lateral movement. “FBI has observed Royal actors using remote monitoring and management (RMM) software, such as AnyDesk, LogMeIn, and Atera, for persistence in the victim’s network. In some instances, the actors moved laterally to the domain controller. In one confirmed case, the actors used a legitimate admin account to remotely log on to the domain controller. Once on the domain controller, the threat actor deactivated antivirus protocols by modifying Group Policy Objects,” it added.
Royal actors exfiltrate data from victim networks by repurposing legitimate cyber pentesting tools, such as Cobalt Strike, and malware tools and derivatives, such as Ursnif/Gozi, for data aggregation and exfiltration, the CISA-FBI advisory. “According to third-party reporting, Royal actors’ first hop in exfiltration and other operations is usually a U.S. IP address.”
Before starting the encryption process, Royal hackers use Windows Restart Manager to determine whether targeted files are currently in use or blocked by other applications. It also uses Windows Volume Shadow Copy service (vssadmin[dot]exe) to delete shadow copies to inhibit system recovery.
FBI has found numerous batch ([dot]bat) files on impacted systems which are typically transferred as an encrypted 7zip file. Batch files create a new admin user, force a group policy update, set pertinent registry keys to auto-extract and execute the ransomware, monitor the encryption process, and delete files upon completion, including application, system, and security event logs.
Due to the historical nature of ransomware victimizing the healthcare community, Royal should be considered a threat to the HPH sector, the HC3 said in its analyst note.
The latest CISA-FBI advisory recommends network defenders limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Royal ransomware. These mitigations follow CISA’s Cybersecurity Performance Goals (CPGs), which provide a minimum set of practices and protections that are informed by the most common and impactful threats, tactics, techniques, and procedures, and which yield goals that all organizations across critical infrastructure sectors.
Organizations must implement a recovery plan, require all accounts with password logins to comply with National Institute of Standards and Technology (NIST) standards for developing and managing password policies, require multi-factor authentication, keep all operating systems, software, and firmware up to date, and segment networks. It also recommends identifying, detecting, and investigating abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool; install, regularly update, and enable real time detection for antivirus software; audit user accounts; implement time-based access for accounts set at the admin level and higher; and disable command-line and scripting activities and permissions.
The CISA-FBI advisory called for maintaining offline backups of data, and regularly executing backup and restoration. By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data. It also suggests ensuring that all backup data is encrypted, immutable, and covers the entire organization’s data infrastructure.
Earlier this week, CISA released a cybersecurity advisory detailing the TTPs of the red team, along with key findings to provide network defenders of critical infrastructure organizations proactive steps to reduce the threat of similar activity from malicious cyber actors.
A complimentary guide to the who`s who in industrial cybersecurity tech & solutions
Free DownloadRelated
