Researchers have noticed new Royal ransomware operations active in the cybercrime world. Hackers involved demand a whopping $250,000 to $2 million ransom amount from victim corporations. The ransomware operation was first observed in January 2022.

The Royal attack

Samples suggest the ransomware was rebranded Royal in mid-September
  • According to researchers, cybercriminals are possibly a group comprising members from other experienced ransomware operations because their attacks have components from different ransomware gangs. 
  • For instance, they used an encryptor from BlackCat ransomware group. Though, now they have started to develop their own encryptors. 
  • The first encryptor was Zeon that generated a ransom note similar to Conti’s note.

Attack tactics

  • To lure victims, the Royal group uses callback phishing attacks, impersonating food delivery and software providers, urging the potential victim to renew these so-called subscriptions.
  • The phishing emails contain phone numbers that victims are supposed to call to cancel their subscriptions and avoid charges.
  • When the victim calls the number, the threat actors posing as service operators attempt to convince them to install remote access software, providing initial access to the networks.

Post-exploitation activities

  • Upon getting access to the corporate network, threat actors manually perform the next stages of the malicious operation.
  • They deploy the Cobalt Strike tool to harvest credentials, move laterally across the Windows domain, steal data, and eventually encrypt the victim devices.

Moreover, hackers target virtual machines by encrypting virtual disk files (VMDK).

Concluding note

Experts suspect that the Royal ransomware group will possibly evolve into a major enterprise-targeting ransomware operation. To stay protected from such threats, it is recommended that network and security admins should take proactive measures and continuously check for any loopholes.
Cyware Publisher