Threat Research

Royal Ransomware

Executive Summary

1. Origins and Activity:

  • The Royal ransomware made its debut in 2022, swiftly establishing itself as a significant menace in the cybersecurity landscape.
  • During its reign, Royal has targeted both U.S. and international organizations, infiltrating their networks with malicious intent.
  • Notably, this variant evolved from an earlier version that utilized a loader called “Zeon.”

2. Modus Operandi:

  • Once inside a victim’s network, Royal actors follow a well-defined playbook:
    • Volume Shadow Copies: The ransomware methodically deletes all Volume Shadow Copies, which are point-in-time backups of files. By eliminating these copies, it prevents easy file recovery.
    • Selective Encryption: Royal selectively encrypts files, avoiding specific file extensions and folders. It focuses on network shares within the local network and local drives.
    • Victim Identification: A crucial parameter called “-id”is embedded in the ransom note and must be specified in the command line. This parameter uniquely identifies the victim.
    • Encryption Algorithm: Royal employs the AES algorithm (OpenSSL)for file encryption. The key and initialization vector (IV) are themselves encrypted using a hard-coded RSA public key within the executable.
    • Partial Encryption: Depending on the file’s size and the “-ep”parameter, Royal can fully or partially encrypt a file.
    • File Extension Change: The encrypted files undergo a transformation—their extensions are altered to “.royal”.

3. Ransom Demands and Interaction:

  • Royal actors are not subtle about their intentions. They demand hefty ransoms, ranging from approximately $1 million to $11 million USD, payable in Bitcoin.
  • Interestingly, the initial ransom note does not specify the exact amount or payment instructions. Instead, victims are directed to interact directly with the threat actor via a .onion URL, accessible through the Tor browser.
  • The stakes are high: Royal has targeted critical infrastructure sectors, including Manufacturing, Communications, Healthcare, and Education.

4. Data Exfiltration and Extortion:

  • Royal doesn’t stop at encryption. Before locking down systems, it exfiltrates substantial amounts of data.
  • If the ransom remains unpaid, Royal takes a more aggressive stance: it publishes victim data on a leak site.

5. Magnitude of Impact:

  • Since September 2022, Royal has left its mark on over 350 known victims worldwide.
  • The cumulative ransom demands have soared beyond an astonishing $275 million USD.

6. Phishing as an Entry Point:

  • Royal’s initial access often occurs through phishing emails, which remain a highly successful vector for the threat actors.

7. Future Outlook:

  • There are indications that Royal may undergo a re-branding effort or give rise to a spinoff variant.
  • Keep a vigilant eye on developments in the cybersecurity landscape to stay ahead of this formidable adversary.

For more detailed information, you can refer to the CISA advisory on Royal Ransomware. Stay informed and vigilant! 👀🔒

Technical Analysis:

Main Process:

SHA256: f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429

This malware is designed for a computer that uses 64-bit architecture, and it’s ready to run as it is. It uses a special command (GetCommandLineW) to get the instructions that were used to start it.

Another command (CommandLineToArgvW) is used to break down these instructions into a list that the program can understand.

The malware looks for specific instructions that start with “-path”, “-id”, and “-ep”. It’s really important for it to have the “-id” instruction, which is a long string of 32 letters or numbers. This might be used to identify a specific target or victim. You can put any combination of 32 characters for this value.

Royal RansomwareRoyal

 

The ransomware program gets rid of backup copies by starting a process called vssadmin.exe.

 

Royal Ransomware

the malware sets up to use network functions by calling WSAStartup, which is like saying “Hey, I need to use the internet features provided by the Winsock DLL (a file that helps with internet connections)

Royal Ransomware

The program creates a new point of communication, called a socket, using a set of rules (API). It’s like setting up a new phone line where:

  • 0x2 = AF_INET means it’s using the internet type of connection.
  • 0x1 = SOCK_STREAM means it’s like a steady phone call, not a series of text messages.

The software gets a special tool or function using something called WSAIoctl (a command). The code 0xC8000006 is like a specific address that tells where to find this tool, which is named SIO_GET_EXTENSION_FUNCTION_POINTER. This is like getting a special key to unlock more features for the program to use.

Royal Ransomware

The program uses a tool called GetNativeSystemInfo to learn about the computer it’s on, like finding out what kind of engine a car has.

Royal Ransomware

Depending on how powerful the computer is (how many processors it has), the harmful software starts several tasks at once (threads) to lock files so they can’t be opened without a special key (encryption).

Royal Ransomware Royal

 

One specific task (thread) is in charge of listing all the files that need to be locked.

Another tool, GetIpAddrTable, is used to get a list of all the internet addresses (IPv4) that the computer can use, kind of like looking up all the phone numbers the computer can call.

Royal Ransomware

The program takes the IP addresses it found and changes them from the way networks usually arrange them to the way a single computer (host) arranges them. It’s like translating a universal code into a personal code that the computer understands.

Royal Ransomware

The Royal ransomware sets up a special waiting area (I/O completion port) where it can manage what it’s doing, but it’s not connected to any specific file yet.

Royal Ransomware

It uses a command called WSASocketW to create a new communication line (socket) that follows the rules of the TCP protocol, which is like the language that computers use to talk to each other over the internet. The numbers mentioned (0x2, 0x1, 0x6) are like setting the right dials for this communication.

Royal Ransomware

The ransomware then gives this new communication line an address so it knows where to send or receive information.

Royal Ransomware

Next, it connects the waiting area (I/O completion port) it set up earlier to this communication line.

Royal Ransomware

Ransomware starts knocking on doors (trying to connect) of other computers on the same network, specifically looking for a door labeled “445” to see if it can spread to those computers too.

Royal Ransomware

The harmful program takes a task off the waiting list (I/O completion port) using a tool called GetQueuedCompletionStatus. It’s like checking off an item from a to-do list.

Royal Ransomware

It uses a function named WSAAddressToStringW to get the list of internet addresses (IP addresses) that it can reach from a specific format (sockaddr structures).

Royal Ransomware

The ransomware makes a list of all the shared network spaces it finds, except for the ones named “ADMIN$” and “IPC$”. These are special network locations it doesn’t want to mess with.

Royal Ransomware

Thread activity – StartAddress function

The program uses a command called GetLogicalDrives to find out all the storage areas (like hard drives) the computer has.

Royal Ransomware

It creates a text file named “README.txt” in each storage area. The code 0x40000000 means it has the permission to write in those files.

Royal Ransomware

Inside this text file, it writes a message using the WriteFile function. This message includes the “-id” parameter, which is a unique set of 32 characters that might identify the victim.

Royal Ransomware

The ransomware begins to look for files to encrypt using a function called FindFirstFileW. It’s like starting a search for all the files it can lock.

Royal Ransomware

It checks the names of the folders it finds against a list of folders it’s supposed to leave alone using StrStrIW. If the folder’s name is on the list, the ransomware skips it.

Royal Ransomware

The files enumeration continues by calling the FindNextFileW API:

Royal Ransomware

Thread activity – FileEncryption Thread function

The malware has a preset security key (RSA public key) that it uses to lock files.

Royal Ransomware

It uses a set of tools (OpenSSL library) to scramble the files with a very strong lock (AES algorithm). To lock the files, it uses a special key (AES key) which is then locked itself by the preset key (RSA public key).

To start encrypting a file, it opens the file using a command called CreateFileW. The code 0x10000000 means it has full control over the file.

Royal Ransomware

It finds out how big the file is using GetFileSizeEx.

Royal Ransomware

It prepares to start encrypting from the very beginning of the file by using SetFilePointerEx with the setting 0x0, which stands for the start of the file.

It creates a new, random lock (32-byte AES key) and a starting point for the encryption (16-byte IV) using BCryptGenRandom. The code 0x2 means it’s using a preferred method to make sure the key is really random and secure.

Royal Ransomware

The malware starts by reading the contents of a file using a command called ReadFile.

It then locks the information in the file using a very strong encryption method called AES256, doing this in small chunks (16 bytes each).

After the content is locked, it’s put back into the file along with a special key (AES key) and a starting point for the encryption (IV), both of which are also locked using another key (RSA public key).

Royal Ransomware

Next, the ransomware notes down how much of the file it has encrypted. The code 0x64 means it has encrypted the whole file (100%).

Royal Ransomware

Finally, it renames the file with a new extension, “.royal”, to show that the file has been encrypted. It does this using a command called MoveFileExW, and the code 0x8 ensures that the change is made immediately and permanently.

Royal Ransomware

Indicators of Compromise

SHA256 :

f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429

Royal Ransom Note :

README.txt

Process spawned :

C:\Windows\System32\vssadmin.exe delete shadows /all /quiet

MITRE ATT&CK TACTICS AND TECHNIQUES Covered by GRA:

Tactic Technique ID GRA Detection
Persistence Registry Run Keys / Startup Folder T1547.001 19
Privilege Escalation Privilege Escalation TA0004 8
Privilege Escalation Portable Executable Injection T1055.002 0
Privilege Escalation

 

Access Token Manipulation: Token Impersonation/Theft T1134.001 0
Privilege Escalation Create Process with Token T1134.002 0
Defense Evasion Embedded Payloads T1027.009 0
Defense Evasion Deobfuscate/Decode Files or Information T1140 2
Discovery Process Discovery T1057 0
Discovery System Information Discovery T1082 0
Discovery File and Directory Discovery T1083 0
Impact Data Encrypted for Impact T1486 1
Impact Inhibit System Recovery T1490 8
Impact Financial Theft T1657 0

 

About the Author:

Rudra Pratap, Security Research Manager, Gurucul

Rudra Pratap is a Security Research Manager and heads Threat Research at Gurucul with over 12 years of experience in security research and development. Rudra’s expertise spans a wide range of cybersecurity domains, including cloud & endpoint protection, threat detection & response and advanced persistent threats (APTs). He has authored multiple research papers and presented at conferences, sharing insights on topics such as industry threats and cyber espionage campaigns. With a strong background in security research, Rudra has made significant contributions to industry giants like Microsoft and FireEye.