Unmasking the Royal Ransomware Group: Tactics and Countermeasures

Unmasking the Royal Ransomware Group: Tactics and Countermeasures

The Royal Ransomware Group has emerged as one of the most prolific ransomware groups since September 2022. In this blog post, we will discuss their activities, tactics, and how you can protect your network from malicious attacks.

The Rise of Royal Ransomware Group: Royal Ransomware Group has gained significant attention recently for its sophisticated operations. Unlike other ransomware groups that follow the ransomware-as-a-service model, Royal acts as a one-stop shop for deploying ransomware and gaining unauthorized access to targeted networks. This group has been active for about eight or nine months, and their attacks have been escalating each month.

Targeting Manufacturing and More: While many ransomware groups have primarily targeted schools and municipalities, the Royal Ransomware Group has shifted its focus toward manufacturing. This change in target selection sets them apart from their counterparts. This group evolved from another Ransomware group called "Conti". It is not uncommon for ransomware groups to evolve from previous groups or form new groups with different names and objectives.

Methods of Infiltration: Royal Ransomware Group constantly develops new techniques to gain access to networks. They exploit vulnerabilities in various ways, including phishing attacks, vulnerable Remote Desktop Protocol (RDP) computers, and publicly facing applications. These tactics enable them to move laterally within the network and increase their chances of success. They also collaborate with trusted third-party sources to gain initial access, often harvesting VPN credentials from stealer logs.

Tools and Techniques: Once inside a network, Royal Ransomware Group swiftly downloads and installs command and control (C2) infrastructure and other tools to maintain persistence and access. They exploit open RDP and use remote management tools like AnyDesk, LogMeIn, and Atera to further their malicious activities. It is crucial for organizations to have privileged access management software, zero trust process monitoring, and proper firewall configurations to mitigate these risks effectively.

Indicators of Compromise: Royal Ransomware Group often leaves behind indicators of compromise, such as the .Royal extension on encrypted files and a ransom note named readme.txt in every directory. Their operations involve using malicious domains, IP addresses, and tools like AV tamper, TCP UDP tunneling over HTTP, and SSH using Chisel. Detecting and blocking encrypted malicious traffic becomes challenging for traditional firewalls without deep packet inspection capabilities.

Mitigating the Risks: To protect your network from the Royal Ransomware Group and similar threats, it is essential to implement robust security measures. Some key recommendations from the Federal Bureau of Investigation (FBI) and Cisco's cybersecurity performance goals include:

  1. Developing a comprehensive recovery plan that encompasses secure backups, segregation, and strategic network configuration.
  2. Enforcing strong password policies, multi-factor authentication, and account lockouts.
  3. Regularly updating and patching systems, software, and firmware.
  4. Segmenting networks to prevent unauthorized access to critical assets.
  5. Implementing network monitoring tools to detect abnormal activity and ransomware traversal.
  6. Installing and regularly updating antivirus software for real-time detection.
  7. Reviewing Domain Controller servers, workstations, and active directories for unrecognized accounts and removing unnecessary administrative privileges.
  8. Following the principle of least privilege when configuring access controls.