News Royal Ransomware Operation Uses Callback Phishing Attacks

The Royal attack

• According to researchers, cybercriminals are possibly a group comprising members from other experienced ransomware operations because their attacks have components from different ransomware gangs. 
• For instance, they used an encryptor from BlackCat ransomware group. Though, now they have started to develop their own encryptors. 
• The first encryptor was Zeon that generated a ransom note similar to Conti’s note.

Attack tactics

• To lure victims, the Royal group uses callback phishing attacks, impersonating food delivery and software providers, urging the potential victim to renew these so-called subscriptions.
• The phishing emails contain phone numbers that victims are supposed to call to cancel their subscriptions and avoid charges.
• When the victim calls the number, the threat actors posing as service operators attempt to convince them to install remote access software, providing initial access to the networks.

Post-exploitation activities

• Upon getting access to the corporate network, threat actors manually perform the next stages of the malicious operation.
• They deploy the Cobalt Strike tool to harvest credentials, move laterally across the Windows domain, steal data, and eventually encrypt the victim devices.

Concluding note