Attacks and Vulnerabilities
CISA
Critical infrastructure
Industrial Cyber Attacks
Malware, Phishing & Ransomware
News
Regulation, Standards and Compliance
Technology & Solutions
Threat Landscape
Vulnerabilities

FBI, CISA update Royal ransomware advisory, highlighting new tactics and impending rebranding efforts

November 14, 2023
FBI, CISA update Royal ransomware advisory, highlighting new tactics and impending rebranding efforts

U.S. security agencies have released an updated joint Cybersecurity Advisory (CSA) on Royal ransomware, which includes new tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and additional information. The attackers behind Royal ransomware have targeted various critical infrastructure sectors, such as manufacturing, communications, healthcare, public healthcare (HPH), and education. The advisory aims to assist network defenders by providing them with more insights into the TTPs and IOCs associated with different variants of Royal ransomware. 

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are urging organizations to prioritize the remediation of known vulnerabilities that have been exploited. They also recommend training users to identify and report phishing attempts, as well as implementing and enforcing multi-factor authentication. Recent FBI investigations have identified these TTPs and IOCs as of June 2023.

The agencies also pointed out that there are indications that Royal may be preparing for a re-branding effort and/or a spinoff variant. Blacksuit ransomware shares several identified coding characteristics similar to Royal. A previous joint CSA for Royal ransomware was published in March this year. The joint CSA provides updated IOCs identified through FBI investigations.

“Since approximately September 2022, cyber threat actors have compromised U.S. and international organizations with Royal ransomware,” the advisory disclosed. “FBI and CISA believe this variant, which uses its own custom-made file encryption program, evolved from earlier iterations that used ‘Zeon’ as a loader. After gaining access to victims’ networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems. Royal actors have made ransom demands ranging from approximately $1 million to $11 million USD in Bitcoin.” 

In observed incidents, the FBI-CISA advisory said that Royal hackers do not include ransom amounts and payment instructions as part of the initial ransom note. Instead, the note, which appears after encryption, requires victims to directly interact with the threat actor via a [dot]onion URL (reachable through the Tor browser). 

Since it began operations, Royal has targeted over 350 known victims worldwide and ransomware demands have exceeded US$275 million. Royal conducts data exfiltration and extortion before encryption and then publishes victim data to a leak site if a ransom is not paid. Phishing emails are among the most successful vectors for initial access by Royal threat actors. 

“Royal and Blacksuit threat actors have been observed using legitimate software and open source tools during ransomware operations. Threat actors have been observed using open source network tunneling tools such as Chisel and Cloudflared, as well as Secure Shell (SSH) Client, OpenSSH, and MobaXterm to establish SSH connections,” according to the advisory. “The publicly available credential-stealing tool Mimikatz and password harvesting tools from Nirsoft have also been found on victim systems. Legitimate remote access tools AnyDesk, LogMein, and Atera Agent have also been observed as backdoor access vectors.”

FBI and CISA recommend that software manufacturers incorporate secure-by-design and -default principles and tactics into their software development practices limiting the impact of ransomware techniques (such as threat actors leveraging backdoor vulnerabilities into remote software systems) thus strengthening the security posture for their customers.

Among the mitigation measures proposed, the advisory reminded the critical infrastructure sector to follow CISA’s Cybersecurity Performance Goals (CPGs), which provide a minimum set of practices and protections that are informed by the most common and impactful threats, TTPs, and yield goals that organizations across critical infrastructure sectors should implement.

Organizations must implement a recovery plan, Require all accounts with password logins to comply with the National Institute for Standards and Technology’s (NIST’s) standards for developing and managing password policies; and require multi-factor authentication. They must also reduce the threat of malicious actors, keep all operating systems, software, and firmware up to date, segment networks, and identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. 

Critical infrastructure entities must also install, regularly update, and enable real-time detection for antivirus software on all hosts; review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts; audit user accounts with administrative privileges and configure access controls according to the principle of least privilege (PoLP); disable unused ports; consider adding an email banner to emails received from outside the organization; and implement time-based access for accounts set at the admin level and higher. 

“The Russian-speaking Royal ransomware gang continues to be a significant threat to the health care and other sectors,” John Riggi, AHA’s national advisor for cybersecurity and risk, said in a media statement. “As indicated last week, the government believes that the Royal gang is related to the current BlackSuit ransomware gang and may use some of the same methodology and malware coding.” 

He added, “Today’s alert on Royal indicates the group is primarily using phishing emails to deliver ransomware, then exploits known vulnerabilities, disables antivirus software, and utilizes legitimate penetration testing software tools such as Cobalt Strike to exfiltrate data.”

Furthermore, Riggi emphasized the importance of incorporating alerts for the activation of Cobalt Strike and similar tools, as well as alerts for the disablement of antivirus software, into network and security monitoring tools. It is also crucial to regularly update these tools with the latest indicators of compromise. Additionally, the presence of known and exploited vulnerabilities poses an ongoing challenge in terms of patching, as they continue to be exploited by malicious actors.

Last week, the FBI published a Private Industry Notification (PIN) to highlight ransomware initial access trends, as hackers continue to gain access through third parties and legitimate system tools. The agency detailed that new trends included ransomware hackers exploiting vulnerabilities in vendor-controlled remote access to casino servers, and companies victimized through legitimate system management tools to elevate network permissions.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation