enardeitjaptrues

A new ransomware group dubbed Royal that formed earlier this year has significantly ramped up its operations over the past few months and developed its own custom ransomware program that allows attackers to perform flexible and fast file encryption. "The Royal ransomware group emerged in early 2022 and has gained momentum since the middle of the year," researchers from security firm Cybereason said in a new report. "Its ransomware, which the group deploys through different TTPs, has impacted multiple organizations across the globe. The group itself is suspected of consisting of former members of other ransomware groups, based on similarities researchers have observed between Royal ransomware and other ransomware operators."

Royal ransomware group tactics

The Royal ransomware group's tactics bear similarities to those of Conti, prompting suspicion that it's partly made up of former members of the infamous group that shut down in May 2022. When it originally started its operations in January, Royal relied on third-party ransomware programs such as BlackCat and Zeon, but by September it shifted to its own custom-made file encryption program.

Since then, the group has made dozens of victims from various industry sectors, including the Silverstone motor racing circuit in London. However, most of the victims are from the US, and some early statistics suggest the group managed to overtake LockBit as the leading ransomware threat in November.

The Royal group uses phishing as an initial attack vector, as well as third-party loaders such as BATLOADER and Qbot for distribution. Initial access is followed by the deployment of a Cobalt Strike implant for persistence and to move laterally inside the environment in preparation for dropping the ransomware payload.

Partial encryption can evade detection

Attackers can execute the ransomware program with three command line arguments: one that specifies the path to be encrypted, one that specifies what percentage of every file's contents will be encrypted, and one that provides a unique ID to identify the victim.

When run, the program first launches the vssadmin.exe Windows utility to delete all shadow copies of the file system, a standard routine that most ransomware applications use to prevent file recovery from the Windows backup mechanism. Next, it sets several file types and directory for exclusion from the encryption routine. This includes executable files, the entire Windows folder so it does not disrupt the OS operation, and the Tor browser folder, which is needed for the victim to access the group's ransom portal on the Tor network.