The Royal ransomware group has targeted more than 350 global victims since September 2022, demanding hundreds of millions in ransom payments, according to a new report from the US Cybersecurity and Infrastructure Security Agency (CISA).
The cybersecurity advisory is an update to one it released in March 2023, containing new information such as refreshed indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs).
This includes new IOCs generated by FBI investigations earlier this year, which seem to show a crossover between Royal and the Blacksuit ransomware group.
“Royal and Blacksuit threat actors have been observed using legitimate software and open source tools during ransomware operations. Threat actors have been observed using open source network tunneling tools such as Chisel and Cloudflared, as well as Secure Shell (SSH) Client, OpenSSH, and MobaXterm to establish SSH connections,” CISA explained.
“The publicly available credential stealing tool Mimikatz and password harvesting tools from Nirsoft have also been found on victim systems. Legitimate remote access tools AnyDesk, LogMein, and Atera Agent have also been observed as backdoor access vectors.”
Read more on Royal: Royal Ransomware Targets US Healthcare
Initial access is most commonly achieved via phishing – which accounts for around two-thirds of Royal incidents – followed by RDP compromise (13%). The group is also thought to have used initial access brokers and targeted public-facing applications in the past, according to CISA.
RDP and PsExec are also frequently used by the group to move laterally across a victim’s network, while Cobalt Strike and malware such as Ursnif/Gozi is commonly deployed to help with data aggregation and exfiltration, the report noted.
Among the sectors most frequently targeted are healthcare, manufacturing and education.
“Royal actors have made ransom demands ranging from approximately $1m to $11m in bitcoin,” the advisory explained.
“In observed incidents, Royal actors do not include ransom amounts and payment instructions as part of the initial ransom note. Instead, the note, which appears after encryption, requires victims to directly interact with the threat actor via a .onion URL (reachable through the Tor browser).”