The Royal ransomware strain is a growing threat and targeting critical infrastructure sectors, the US’s CISA and FBI warn in a joint advisory that highlights the extent to which phishing emails remain such a persistently effective threat vector for cybercriminals – with phishing the threat vector in 66.7% of incidents tracked to-date.
In a note that includes detailed indicators of compromise (IOCs) – prior to the more obvious one of your machines locking up and a large ransom demand appearing on screens – CISA and the FBI said, adding that the Royal ransomware actors (not unusually) use a range of commercial and open source projects to aid intrusion activities.
Hackers eye “Havoc” for C2 as Cobalt Strike detections improve
“Royal operators have been observed using Chisel, a tunneling tool transported over HTTP and secured via SSH to communicate with their C2 infrastructure. FBI has observed multiple Qakbot C2s used in Royal ransomware attacks, but has not yet determined if Royal ransomware exclusively uses Qakbot C2” the two agencies said.
“Royal actors often use RDP to move laterally across the network. Microsoft Sysinternals tool PsExec has also been used to aid lateral movement. FBI has observed Royal actors using remote monitoring and management (RMM) software, such as AnyDesk, LogMeIn, and Atera, for persistence in the victim’s network” they added.
The group has hit communications, education, healthcare, and manufacturing organisations among others.
The attackers have been asking for ransoms of between $1 million to $11 million in Bitcoin.
Defending against Hive ransomware: It’s time to use the attackers’ tools
Before starting the encryption process, Royal ransomware actors typically use Windows Restart Manager to determine whether targeted files are currently in use or blocked by other applications, use Windows Volume Shadow Copy service (vssadmin.exe) to delete shadow copies to prevent system recovery.
“The FBI has found numerous batch (.bat) files on impacted systems which are typically transferred as an encrypted 7zip file. Batch files create a new admin user, force a group policy update, set pertinent registry keys to auto-extract and execute the ransomware, monitor the encryption process, and delete files upon completion—including Application, System, and Security event logs” the advisory notes, with the very first of its proposed mitigations being to “maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud)...”
Along with other common security hygiene steps (mandate minimum password complexity rules and implement MFA) the two suggest that organisations “Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model).
"This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task" CISA and the FBI added in the March 2 advisory.
The advisory also urges admins to consider disabling “command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.”
See the NCSC's four layers of phishing mitigation guidance here