The Royal ransomware group emerged in early 2022 and has gained momentum since the middle of the year. Its ransomware, which the group deploys through different TTPs, has impacted multiple organizations across the globe. The group itself is suspected of consisting of former members of other ransomware groups, based on similarities researchers have observed between Royal ransomware and other ransomware operators.
Unique approach to evade anti-ransomware defenses: Royal ransomware expands the concept of partial encryption, which means it has the ability to encrypt a pre-determined portion of the file content and base its partial encryption on a flexible percentage encryption, which makes detection more challenging for anti-ransomware solutions.
Multi-threaded ransomware: Royal ransomware employs multiple threads in order to accelerate the encryption process.
Global ransomware operation: Royal ransomware operates around the world, and reportedly on its own. The group doesn’t appear to use ransomware-as-a-service or to target a specific sector or country.
Different methods of deployment: Royal ransomware initially starts and deploys in different ways, as described in this report.
The Royal ransomware group was first discovered in early 2022. At the time, it utilized third-party ransomware, such as BlackCat and custom Zeon ransomware. Since September 2022, the group has started to use its own ransomware. In November 2022, Royal ransomware was reported to be the most prolific ransomware in the e-crime landscape, overtaking Lockbit for the first time in more than a year.
Royal ransomware operations start in different ways. One method is through phishing campaigns and uses one of the common e-crime threat loaders, reportedly BATLOADER and Qbot. The threat loader then downloads a Cobalt Strike payload to continue the malicious operation within the infected environment. This tactic is commonly used by other ransomware operations, including Qbot and BlackBasta.
Since mid-September, the ransomware group has gained momentum and added dozens of victims to its website. The group does not seem to focus on a specific sector, and its victims vary from industrial companies to insurance companies, and more. Although the majority of the group’s victims are based in the U.S., one of its higher profile victims was the Silverstone Circuit, a motor racing circuit in England.
Multiple reports have noted resemblances between the Royal Ransomware group and Conti, including similarities between the ransom notes each group uses (particularly in Royal’s early stages) and the use of callback phishing attacks. In our research, we have identified additional similarities, such as resemblances in the encryption process decision factors. However, these similarities are not yet clear enough to confirm a direct connection between the two groups.
When executing, Royal ransomware can take three arguments in its command line:
-path [optional]: The path to be encrypted
-ep [optional]: The number that represents the percentage of the file that will be encrypted
-id: A 32-digit array
The encryption process decision tree is dependent on the command line arguments. Therefore, factors such as encryption speed, file corruption, and potential detection are directly affected. If no “-id” parameter is given in the command line, the ransomware won’t run.
After validating the command line, Royal ransomware will attempt to delete shadow copy backups using the process Vssadmin.exe, with the command line “delete shadows /all /quiet”.
The deletion of the shadow copy can also be seen via the Cybereason Defense Platform, which identifies the activity as ransomware behavior in the image below.
Once the backups have been deleted, Royal ransomware will set its exclusion paths (the files or directories spared from file encryption). The following file extensions will be excluded from being encrypted:
.exe
.dll
.bat
.lnk
README.TXT
.royal
Next, the ransomware will set the list of directories to be excluded from the encryption process. These directories are the ones that contain the following strings:
Windows
Royal Perflogs
Tor browser
Boot $recycle.bin
Windows.old
$window.~ws
$windows.~bt
Mozilla
After setting the directories to be excluded from encryption, the ransomware then uses the API call Socket to establish a TCP socket and WSAIoctl to invoke a handler for LPFN_CONNECTEX to use the ConnectEx function.
After the initial part of setting the ransomware, Royal ransomware will create two threads: one for writing the ransom note on non-excluded directories and another for file encryption, in addition to a network scanning option.
As mentioned, if no path is given in the command line arguments, Royal ransomware will start with the following steps:
First, the ransomware will scan the network interfaces, and if possible, retrieve the different IP addresses for the target machine(s), using the API call GetIpAddrTable. It will specifically search for IP addresses that start with “192. / 10. / 100. / 172.”
Second, Royal ransomware will establish a socket using the API WSASocketW and will associate it with a completion port using CreateIoCompletionPort. It then will use the API call htons to set the port to SMB, and eventually try to connect to the instructed IP addresses via the LPFN_CONNECTEX callback function.
Third, the ransomware will enumerate the shared resources of the given IP addresses using the API call NetShareEnum. If a shared resource is one of “\\<IP_Address>\ADMIN$” or “\\<IP_Address>\IPC$”, the ransomware will not encrypt it.
Royal ransomware encryption is multi-threaded. To choose the number of running threads, the ransomware will use the API call GetNativeSystemInfo to collect the number of processors in a machine. It will then multiply the result by two and will create the appropriate number of threads accordingly.
Next, the ransomware will set the RSA public key, which is embedded in the binary in plain text and will be used for encrypting the AES key.
>
Before starting the encryption process, Royal ransomware uses the Windows Restart Manager to check if any of the targeted files to be encrypted are being used or blocked by other applications or services. Notably, other ransomware groups including Conti, Babuk, and Lockbit use Restart Manager for the same purpose. Royal then uses the API calls RmStartSession to start the session, RmRegisterResources to register the resources (i.e., the targeted files), RmGetList to verify which applications or services are using the resource (excluding “explorer.exe”), and RmShutDown to kill those applications and services using the resource.
Finally, the encryption method will be determined by the size of the file that will be encrypted and in consideration of the -ep parameter.
If the file size is smaller than 5.245 MB or the -ep argument equals 100:, the entire file will be encrypted.
If the file size is larger than 5.245 MB and the -ep argument is not equal to 100:, the file will be encrypted approximately by the percentage of the -ep argument.
If the file size is larger than 5.245 MB and no -ep argument is given, 50% of the file will be encrypted.
When a targeted file is being encrypted, the ransomware calculates the percentage to encrypt and divides the file content (encrypted and unencrypted) into equal segments. The fragmentation and possibly low percentage of encrypted file content that results lowers the chance of being detected by anti-ransomware solutions.
In the following test, we can see the comparison between the encryption of the same file (larger than 5.245 MB) with different encryption percentages (-ep argument). The image on the left represents an -ep argument of 50 and the image on the right represents an -ep argument of 10.
PortexAnalyzer ep 50 vs. ep 10
In addition to the file being encrypted, Royal ransomware will save 532 bytes at the end of each file and writes the following:
512 bytes for randomly generated encryption key
8 bytes for file size of the encrypted file
8 bytes for the used ep parameter
While partial encryption is not new, most ransomware base their partial encryption only on the file size, then encrypt a set percentage of the file the same way, each time. In contrast, Royal ransomware lets the operator choose a specific percentage and lower the amount of encrypted data even if the file size is large. This ability to change the amount of the file to be encrypted gives Royal ransomware an advantage when it comes to evading detection by security products.
It’s worth highlighting that Conti ransomware also chooses the file size of 5.24 MB as its threshold for partial encryption. When a file was larger than 5.24MB, Conti would encrypt 50% of the file in a divided manner, much like Royal ransomware. This similarity raises the question of whether the Royal ransomware authors have a connection to the Conti group, but on its own, it is not strong enough to suggest a direct or definitive connection.
As for the encryption algorithm, Royal ransomware uses the OpenSSL library and the AES256 algorithm. Similar to other ransomware, it first reads the targeted file using ReadFile, then it encrypts the content and writes the encrypted data in the designated location using WriteFile and SetFilePointerEx. After finishing encryption, the file extension changes to “.royal” using the API call MoveFileExW.
During the entire Royal ransomware process, the ransomware creates an additional thread to retrieve the logical drives using the API call GetLogicalDrives. It then writes the ransom note with the name “README.TXT” in every directory that is not in its exclusion list.
Royal Ransomware creating the ransom note
Eventually, an encrypted directory will look like this
The image below illustrates the entire encryption process decision tree:
When it comes to partial encryption, Royal ransomware seems to give the ransomware operator a more flexible solution for evading detection compared to most ransomware. We assume this flexibility and the evasion potential it enables was a design goal for the creators of Royal ransomware.
As with some reports mentioned above, some ideas that were implemented in Conti ransomware can be found in Royal ransomware.
The Cybereason Defense Platform is able to detect and prevent Royal ransomware infections using multi-layer malware protection that leverages threat intelligence, machine learning, anti-ransomware, next-gen antivirus (NGAV), and Variant Payload Prevention capabilities.
The Cybereason GSOC & Security Research teams recommend the following actions in the Cybereason Defense Platform:
Enable Application Control to block the execution of malicious files.
Enable Anti-Ransomware in your environment’s policies, set the Anti-Ransomware mode to Prevent, and enable Shadow Copy detection to ensure maximum protection against ransomware.
Enable Variant Payload Prevention with prevent mode on Cybereason Behavioral execution prevention.
To hunt proactively, use the Investigation screen in the Cybereason Defense Platform and the queries in the Hunting Queries section to search for machines that are potentially infected with Royal Ransomware.
Based on the search results, take further remediation actions, such as isolating the infected machines and deleting the payload file.
Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere. Schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.
|
Tactic |
Technique or Sub-technique |
|
TA0005: Discovery |
T1083: File and Directory Discovery |
|
TA0007: Discovery |
T1016: System Network Configuration Discovery |
|
TA0007: Discovery |
T1046: Network Service Discovery |
|
TA0007: Discovery |
T1057: Process Discovery |
|
TA0007: Discovery |
T1082: System Information Discovery |
|
TA0007: Discovery |
T1135: Network Share Discovery |
|
TA0040: Impact |
T1486: Data Encrypted for Impact |
|
TA0040: Impact |
T1489: Service Stop |
|
TA0040: Impact |
T1490: Inhibit System Recovery |
|
TA0002: Execution |
T1059: Command and Scripting Interpreter |
|
Indicators |
Indicator type |
Description |
|
250bcbfa58da3e713b4ca12edef4dc06358e8986cad15928aa30c44fe4596488 |
SHA256 |
Royal Ransomware Binary |
|
9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926 |
SHA256 |
Royal Ransomware Binary |
|
c24c59c8f4e7a581a5d45ee181151ec0a3f0b59af987eacf9b363577087c9746 |
SHA256 |
Royal Ransomware Binary |
|
5fda381a9884f7be2d57b8a290f389578a9d2f63e2ecb98bd773248a7eb99fa2 |
SHA256 |
Royal Ransomware Binary |
|
312f34ee8c7b2199a3e78b4a52bd87700cc8f3aa01aa641e5d899501cb720775 |
SHA256 |
Royal Ransomware Binary |
|
f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429 |
SHA256 |
Royal Ransomware Binary |
|
7cbfea0bff4b373a175327d6cc395f6c176dab1cedf9075e7130508bec4d5393 |
SHA256 |
Royal Ransomware Binary |
|
2598e8adb87976abe48f0eba4bbb9a7cb69439e0c133b21aee3845dfccf3fb8f |
SHA256 |
Royal Ransomware Binary |
Eli Salem, Security & Malware Researcher, Cybereason Global SOC
Alon Laufer, Senior Security Analyst, Cybereason Global SOC
Mark Tsipershtein, Security Operations Analyst at Cybereason