Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Royal Ransomware. Show all posts

FBI and CISA Reveals: ‘Royal’ Ransomware Group Targeted 350 Victims for $275 Million


In a joint advisory, the FBI and CISA have revealed a network breach conducted by the ‘Royal ransomware gang’ that has targeted nearly 350 organizations globally since 2022. 

Giving further details of the original advisory published in March, in the information acquired during the FBI investigation, the agencies noted that the ransomware campaign was connected to ransom demands totalling more than $275 million.

"Since September 2022, Royal has targeted over 350 known victims worldwide and ransomware demands have exceeded 275 million USD," the advisory reads.

"Royal conducts data exfiltration and extortion prior to encryption and then publishes victim data to a leak site if a ransom is not paid. Phishing emails are among the most successful vectors for initial access by Royal threat actors."

In March, the two agencies shared their initial indicators of an apparent compromise, along with a list of tactics, methods, and procedures (TTPs), in order to assist defenders in identifying and thwarting attempts to deploy Royal ransomware payloads onto their networks.

The Department of Health and Human Services (HHS) security team discovered in December 2022 that the ransomware operation was responsible for several attacks against U.S. healthcare organizations. This led to the release of the joint advisory.

Royal to BlackSuit

The advisory update also states that BlackSuit ransomware shares several coding traits with Royal, suggesting that Royal may be planning a rebranding campaign and/or a spinoff variation.

While it was anticipated that the Royal ransomware operation would rebrand in May, during the course of the BlackSuit ransomware operation, the rebranding never happened. 

According to a report published by BleepingCompter in June, the Royal ransomware gang was apparently testing a new BlackSuit encryptor, similar to the operation’s conventional encryptor. 

At the time, Partner and Head of Research and Development at RedSense – Yelisey Bohuslavskiy believed that this experiment did not in fact go well.

However, since then, Royal was able to rebrand into BlackSuit and restructure into a more centralized business, following the same blueprint as Team 2 (Conti2) when they were a member of the Conti syndicate.

"In September 2023, Royal accomplished a full rebrand into BlackSuit, most likely entirely dismantling their Royal infrastructure. Moreover, according to the primary source intel, Royal has also accomplished a broader reorganization during the rebrand, making the group structure more corporate and more similar to their Conti2 origins," said Yelisey Bohuslavskiy.  

Dallas Ransomware Attack: Hackers Steal 800K City Files


Hackers who targeted the City of Dallas in the alleged ransomware attack have stolen nearly 1.2 terabytes of data, which equals a sum of 819,000 files, reports City officials. 

City’s Chief Information Officer Bill Zielinski describes that the threat actors gained access to 230 City servers, along with around 1,000 computers and more than 1,100 workstations. Following the attack, the City disabled 100 of its servers.

According to Zielinski, “As part of the remediation and restoration activity, every server, workstation and other host device was thoroughly reviewed for potential impact.”

While the City employees were supposed to issue an ‘After Action Report,’ to the Dallas City Council in regards to the ransomware attack on Wednesday, the affair was postponed when the council members spent the entire evening debating amendments to the next FY23-24 budget.

Adding to this, the council had scheduled time as 9 a.m., but the Council members did not mark their presence till 8 p.m.

Later, coming back to the original topic of discussion, the presentation displayed before the council noted that the hacker group ‘Royal Ransomware,’ was behind the attacks and was responsible for gaining illicit access to 1.169 terabytes of City data between April 7 and May 3 this year.

Dallas officials further noted that the reason behind the dysfunctional City services (that stayed for months) was in fact due to the said ransomware attack. For instance, the City was unable to provide up-to-date crime statistics until the end of July 2023. Officials currently assert that 99.9% of City operations are back online.

The Dallas Express has previously reported that hackers are suspected of stealing the personal data of over 26,000 people, including minors. However, the claims were denied by the City which claimed that no such information has been compromised. The City apparently stated, “no indication that data from residents, vendors, or employees has been leaked.”

However, in regards to the City’s response to the attacks, City Manager T.C. Broadnax said that the City did a “great job.” According to him, the City’s overall response was successful, but the messaging was poor.

“Could we do better? I think, from a communication standpoint, at least, what people believe we should be communicating?[…]I would say, yeah, we can always do better,” he said.

Royal Ransomware Gang adds BlackSuit Encryptor to their Arsenal

A new encryptor named BlackSuit is currently being tested by the notorious Royal ransomware gang. This encryptor bears striking resemblances to their customary encryption tool, suggesting it may be an evolved version or a closely related variant. 

In January 2023, the Royal ransomware gang emerged as the direct successor to the infamous Conti operation, which ceased its activities in June 2022. This private ransomware group consists of skilled pentesters and affiliates hailing from 'Conti Team 1,' as well as individuals recruited from various other ransomware gangs that target enterprises. 

Since its inception, Royal Ransomware has quickly gained notoriety as one of the most active and prolific operations, carrying out numerous high-profile attacks on enterprises. Furthermore, starting from late April, there have been growing indications that the Royal ransomware operation has been contemplating a rebranding effort under a fresh identity. 

This notion gained significant momentum when the group encountered intensified scrutiny from law enforcement following their targeted attack on the City of Dallas, Texas. Feeling the mounting pressure from authorities, the ransomware group has seemingly considered the necessity of adopting a new name, potentially as part of their strategy to evade detection and evade the repercussions of their illicit activities. 

In May, a distinct ransomware operation known as BlackSuit emerged, employing its unique encryptor and Tor negotiation sites. Speculation arose suggesting that this could be the rebranded version of the Royal ransomware group as initially anticipated. However, contrary to expectations, the Royal ransomware gang has not undergone a rebranding process and continues its active assault on enterprise targets. 

While BlackSuit has been employed in a limited number of attacks, the overall identity and operations of the Royal ransomware group remain unchanged. The notion of a rebranding for the Royal ransomware group appears to have lost its viability, given the recent findings presented in a report by Trend Micro. 

The report highlights significant resemblances between the encryptors used by BlackSuit and the Royal Ransomware, rendering it challenging to persuade anyone that they are distinct and unrelated entities. Consequently, attempting to present themselves as a new ransomware operation would likely face considerable skepticism due to these noticeable similarities. 

The resemblances between BlackSuit and Royal Ransomware go beyond surface-level similarities. In-depth analysis, as outlined in the Trend Micro report, reveals a range of shared characteristics. These include similarities in command line arguments, code structures, file exclusion patterns, and even intermittent encryption techniques. 

Such consistent parallels across various aspects make it increasingly difficult to present BlackSuit as a genuinely distinct ransomware operation separate from the Royal group. These findings strongly suggest a strong connection or shared origin between the two entities.

CERT-In Warns Of 'Royal Ransomware' Virus Attacking India's Critical Sectors

 

Indian citizens and organisations have been alerted about the Royal Ransomware virus by the Indian Computer Emergency Response Team (CERT-In). 

This malicious malware targets key infrastructure industries, such as manufacturing, communications, healthcare, and education, as well as individuals, encrypting their files and requesting payment in Bitcoin to prevent the release of private information to the public. 

The CERT-In advisory claims that the RDP (remote desktop protocol) abuse, phishing emails, malicious downloads, and other forms of social engineering are all ways the Royal Ransomware infection spreads. This virus was discovered for the first time in January 2022, and it started to spread around September of last year, at which point the US government began to issue advisories against its expansion.

The report also disclosed that the threat actors employ a number of strategies to trick victims into installing remote access malware as part of callback phishing. In order to prevent recovery, the virus encrypts the data and deletes shadow copies once it has infected the system. 

The Royal Ransomware virus contacts the victim directly via a.onion URL route (dark web browser), thus it doesn't reveal information like the ransom amount or any instructions. Additionally, the malware gains access to the domain controller exfiltrates a sizable amount of data before encryption, and disables antivirus protocols.

Prevention Tips

CERT-In has suggested a set of countermeasures and internet hygiene guidelines protect against this and similar ransomware attacks. These precautions include keeping backup data offline, frequently maintaining backup and restore, enabling protected files in Windows, blocking remote desktop connections, utilising least-privileged accounts, and restricting the number of users who can access resources via remote desktop. 

Other best practices include keeping anti-virus software up to current on computer systems, avoiding clicking on links in unwanted emails, and encrypting all backup data such that it is immutable (cannot be changed or removed) and covers the entire organization's data architecture. 

People and organisations should exercise caution and take the appropriate safety measures to protect themselves from this deadly virus. Following the suggested rules can help prevent data loss and lower your chances of suffering financial and reputational harm.

Cybereason Issues a Warning on a Rapid Growth of Royal Ransomware

 

The Royal Ransomware Group has emerged, and Cybereason, the XDR company, today released a new worldwide danger notice alerting public and private sector companies about the group's use of distinctive tactics, strategies, and procedures in attacks to elude detection. Due to the fact that hackers target weak enterprises around the holidays and on the weekends, businesses should be extremely vigilant against ransomware assaults. 

Since its initial appearance this year, the Royal Ransomware Group has attacked scores of companies all around the world. The group appears to be run by the Conti Group and other well-known ransomware organizations. Organizations should take precautions to prevent being victims because the threat level from Royal attacks is “HIGH.” 

Important report findings 

Unusual method of dodging anti-ransomware defenses: Royal ransomware extends the idea of partial encryption by having the capacity to encrypt a specific piece of the file content and basing it on configurable percentage encryption, making detection by anti-ransomware solutions more difficult. 

Ransomware that uses multiple threads: Royal ransomware uses several threads to hasten the encryption process. 

Global ransomware operation: The Royal ransomware purportedly runs independently and globally. The gang doesn't seem to target a particular industry or nation or utilize ransomware-as-a-service. 

High Severity: Given the sharp rise in attacks from this group over the previous 60–90 days, Cybereason rates the threat level from Royal Ransomware as HIGH. 

Mitigation Tips 

Maintain excellent security hygiene by, for instance, implementing a programme for staff security awareness and making sure operating systems and other software are routinely patched and updated. 

Verify that important players can be reached whenever needed: Attacks that happen over holidays and weekends may cause critical reaction activities to be delayed. 

Conduct routine drills and exercises on a table: Include important stakeholders from other departments outside security, such as Legal, HR, IT, and senior executives, so that everyone is aware of their duties and responsibilities and can react as quickly as possible.

Implementing unambiguous isolation procedures will block any more network intrusions and stop ransomware from spreading to other systems. The ability to disconnect a host, lock down a hacked account, and block a malicious domain are all skills that security teams should have. 

When feasible, think about locking down important accounts: Attackers frequently raise access to the admin domain level before deploying ransomware to spread the malware throughout a network. In the active directory, teams should set up highly secure, emergency-only accounts that are only used when other operational accounts are momentarily disabled as a precaution or rendered inaccessible due to a ransomware assault. 

Install EDR on every endpoint: The fastest method for both public and private sector enterprises to combat the ransomware plague continues to be endpoint detection and response (EDR).