The US Cybersecurity and Infrastructure Security Agency (CISA) has published a new advisory warning system defenders against the Royal Ransomware group.
Part of the Agency’s #StopRansomware campaign, the document was released on Thursday in collaboration with the FBI and describes tactics, techniques and procedures (TTPs) alongside indicators of compromise (IOCs) associated with Royal ransomware variants.
The joint Cybersecurity Advisory (CSA) says recent malicious activity by threat actors using a particular malware variant has been spotted since September 2022.
“FBI and CISA believe this variant, which uses its own custom-made file encryption program, evolved from earlier iterations that used ‘Zeon’ as a loader,” reads the advisory.
After gaining initial access to networks via phishing, remote desktop protocol (RDP and other techniques, the threat actors were observed disabling antivirus software on victims’ machines and exfiltrating large amounts of data. They finally deployed the ransomware and encrypted systems.
“Royal actors have made ransom demands ranging from approximately $1m to $11m in Bitcoin,” CISA wrote.
At the same time, the Agency clarified that in observed incidents, Royal actors did not include ransom or payment instructions as part of its ransom note.
“Instead, the note, which appears after encryption, requires victims to directly interact with the threat actor via a .onion URL (reachable through the Tor browser).”
At the time of writing, CISA wrote that Royal actors have targeted several critical infrastructure sectors, including manufacturing, communications, education and healthcare.
As in other #StopRansomware advisories, CISA also included a series of recommendations to reduce the likelihood and impact of ransomware incidents.
These include requiring all accounts with password logins to follow National Institute of Standards and Technology (NIST) standards, keeping all systems up-to-date and performing network segmentation whenever possible.
The CISA advisory comes a few months after the emerging threat actor known as DEV-0569 was spotted by Microsoft developing new tools to deliver the Royal ransomware.