November 14, 2023 at 10:56AM
The Royal ransomware gang is potentially preparing for a rebrand or spinoff, as their ransom demands have already exceeded $275 million. The group has targeted over 350 victims worldwide, demanding between $1 million and $12 million in ransom. They primarily gain access through phishing emails and employ partial encryption and double extortion tactics. Organizations are advised to patch vulnerabilities, provide employee training on phishing scams, and enforce multifactor authentication to mitigate the risk of attacks.
Key Takeaways from the Meeting Notes:
– The Royal ransomware gang has been highly active and has already collected over $275 million since September 2022.
– The group continues to evolve quickly and may be preparing for a rebranding effort or a spinoff variant.
– Royal has targeted over 350 victims worldwide without specific regional or industry targeting.
– Victims have included organizations in critical infrastructure sectors such as manufacturing, communications, education, and healthcare.
– The group uses phishing as its most successful mode of compromising a victim’s network, with 66.7% of cases initiated through phishing emails containing malicious PDF documents and malvertising.
– The second most common mode of entry is through Remote Desktop Protocol (RDP), and Royal also exploits public-facing applications and leverages brokers for initial access.
– Once inside a network, Royal downloads multiple tools, including legitimate Windows software and Chisel, to strengthen its foothold and communicate with command-and-control (C2).
– Royal’s partial encryption approach allows the group to selectively encrypt a specific percentage of data in a file, lowering the encryption percentage for larger files and evading detection.
– The group practices double extortion by exfiltrating data before encryption and threatening to release it if ransom demands aren’t met.
– Royal uses cyber penetration testing tools like Cobalt Strike and malware tools like Ursnif/Gozi for data aggregation and exfiltration.
– To protect against Royal and other ransomware groups, organizations are advised to prioritize remediating known vulnerabilities, provide employee training to spot and report phishing scams, and enable multifactor authentication.