For more detailed information, you can refer to the CISA advisory on Royal Ransomware. Stay informed and vigilant! 👀🔒
SHA256: f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429
This malware is designed for a computer that uses 64-bit architecture, and it’s ready to run as it is. It uses a special command (GetCommandLineW) to get the instructions that were used to start it.
Another command (CommandLineToArgvW) is used to break down these instructions into a list that the program can understand.
The malware looks for specific instructions that start with “-path”, “-id”, and “-ep”. It’s really important for it to have the “-id” instruction, which is a long string of 32 letters or numbers. This might be used to identify a specific target or victim. You can put any combination of 32 characters for this value.
The ransomware program gets rid of backup copies by starting a process called vssadmin.exe.
the malware sets up to use network functions by calling WSAStartup, which is like saying “Hey, I need to use the internet features provided by the Winsock DLL (a file that helps with internet connections)
The program creates a new point of communication, called a socket, using a set of rules (API). It’s like setting up a new phone line where:
The software gets a special tool or function using something called WSAIoctl (a command). The code 0xC8000006 is like a specific address that tells where to find this tool, which is named SIO_GET_EXTENSION_FUNCTION_POINTER. This is like getting a special key to unlock more features for the program to use.
The program uses a tool called GetNativeSystemInfo to learn about the computer it’s on, like finding out what kind of engine a car has.
Depending on how powerful the computer is (how many processors it has), the harmful software starts several tasks at once (threads) to lock files so they can’t be opened without a special key (encryption).
One specific task (thread) is in charge of listing all the files that need to be locked.
Another tool, GetIpAddrTable, is used to get a list of all the internet addresses (IPv4) that the computer can use, kind of like looking up all the phone numbers the computer can call.
The program takes the IP addresses it found and changes them from the way networks usually arrange them to the way a single computer (host) arranges them. It’s like translating a universal code into a personal code that the computer understands.
The Royal ransomware sets up a special waiting area (I/O completion port) where it can manage what it’s doing, but it’s not connected to any specific file yet.
It uses a command called WSASocketW to create a new communication line (socket) that follows the rules of the TCP protocol, which is like the language that computers use to talk to each other over the internet. The numbers mentioned (0x2, 0x1, 0x6) are like setting the right dials for this communication.
The ransomware then gives this new communication line an address so it knows where to send or receive information.
Next, it connects the waiting area (I/O completion port) it set up earlier to this communication line.
Ransomware starts knocking on doors (trying to connect) of other computers on the same network, specifically looking for a door labeled “445” to see if it can spread to those computers too.
The harmful program takes a task off the waiting list (I/O completion port) using a tool called GetQueuedCompletionStatus. It’s like checking off an item from a to-do list.
It uses a function named WSAAddressToStringW to get the list of internet addresses (IP addresses) that it can reach from a specific format (sockaddr structures).
The ransomware makes a list of all the shared network spaces it finds, except for the ones named “ADMIN$” and “IPC$”. These are special network locations it doesn’t want to mess with.
The program uses a command called GetLogicalDrives to find out all the storage areas (like hard drives) the computer has.
It creates a text file named “README.txt” in each storage area. The code 0x40000000 means it has the permission to write in those files.
Inside this text file, it writes a message using the WriteFile function. This message includes the “-id” parameter, which is a unique set of 32 characters that might identify the victim.
The ransomware begins to look for files to encrypt using a function called FindFirstFileW. It’s like starting a search for all the files it can lock.
It checks the names of the folders it finds against a list of folders it’s supposed to leave alone using StrStrIW. If the folder’s name is on the list, the ransomware skips it.
The files enumeration continues by calling the FindNextFileW API:
The malware has a preset security key (RSA public key) that it uses to lock files.
It uses a set of tools (OpenSSL library) to scramble the files with a very strong lock (AES algorithm). To lock the files, it uses a special key (AES key) which is then locked itself by the preset key (RSA public key).
To start encrypting a file, it opens the file using a command called CreateFileW. The code 0x10000000 means it has full control over the file.
It finds out how big the file is using GetFileSizeEx.
It prepares to start encrypting from the very beginning of the file by using SetFilePointerEx with the setting 0x0, which stands for the start of the file.
It creates a new, random lock (32-byte AES key) and a starting point for the encryption (16-byte IV) using BCryptGenRandom. The code 0x2 means it’s using a preferred method to make sure the key is really random and secure.
The malware starts by reading the contents of a file using a command called ReadFile.
It then locks the information in the file using a very strong encryption method called AES256, doing this in small chunks (16 bytes each).
After the content is locked, it’s put back into the file along with a special key (AES key) and a starting point for the encryption (IV), both of which are also locked using another key (RSA public key).
Next, the ransomware notes down how much of the file it has encrypted. The code 0x64 means it has encrypted the whole file (100%).
Finally, it renames the file with a new extension, “.royal”, to show that the file has been encrypted. It does this using a command called MoveFileExW, and the code 0x8 ensures that the change is made immediately and permanently.
f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429
README.txt
C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
Tactic | Technique | ID | GRA Detection |
Persistence | Registry Run Keys / Startup Folder | T1547.001 | 19 |
Privilege Escalation | Privilege Escalation | TA0004 | 8 |
Privilege Escalation | Portable Executable Injection | T1055.002 | 0 |
Privilege Escalation
| Access Token Manipulation: Token Impersonation/Theft | T1134.001 | 0 |
Privilege Escalation | Create Process with Token | T1134.002 | 0 |
Defense Evasion | Embedded Payloads | T1027.009 | 0 |
Defense Evasion | Deobfuscate/Decode Files or Information | T1140 | 2 |
Discovery | Process Discovery | T1057 | 0 |
Discovery | System Information Discovery | T1082 | 0 |
Discovery | File and Directory Discovery | T1083 | 0 |
Impact | Data Encrypted for Impact | T1486 | 1 |
Impact | Inhibit System Recovery | T1490 | 8 |
Impact | Financial Theft | T1657 | 0 |
About the Author:
Rudra Pratap, Security Research Manager, Gurucul
Rudra Pratap is a Security Research Manager and heads Threat Research at Gurucul with over 12 years of experience in security research and development. Rudra’s expertise spans a wide range of cybersecurity domains, including cloud & endpoint protection, threat detection & response and advanced persistent threats (APTs). He has authored multiple research papers and presented at conferences, sharing insights on topics such as industry threats and cyber espionage campaigns. With a strong background in security research, Rudra has made significant contributions to industry giants like Microsoft and FireEye.