Royal Ransomware: A New and More Dangerous Threat
The Royal ransomware group has recently stepped up its operations since bursting on the scene last summer, mounting attacks against critical infrastructure, education, and healthcare targets. The group is notable for targeting Linux, VMware ESXi environments, and using the BatLoader first-stage malware dropper, among other tactics. Since Royal began, it has impacted 14 organizations in the education sector, eight healthcare organizations, and 40 manufacturing organizations across the US and Canada, making up 73% of the attacks.
The Royal Ransomware Group and Its Predecessors
The group is believed to be composed of former members of the Conti ransomware group, ex-members known as “Team One,” specifically. Conti, known for the Ryuk ransomware, shut down amid pressure from law enforcement and media attention last May. Royal is incredibly dangerous as its members have years of experience in ransomware attacks and know how to extort victims effectively.
Royal’s Tactics, Techniques, and Procedures (TTPs)
One of the most significant changes to the gang’s tactics, techniques, and procedures (TTPs) is the use of the BatLoader first-stage malware dropper. The group primarily operates as a private group, doing its own dirty works, unlike other groups that partner with affiliates for profit-sharing. However, the use of BatLoader suggests that Royal might be forging partnerships to achieve initial access to targeted organizations.
Defending Against Royal Ransomware
Organizations must implement advanced logging capabilities with tools such as Sysmon, Windows command-line logging, and PowerShell logging. It is also recommended to forward logs to a security information and event management tool (SIEM) to create queries and detection opportunities. To reduce the attack surface, keep computer systems patched and updated wherever possible and implement an extended/endpoint detection & response (XDR/EDR) solution to perform in-memory inspection and detect process injection techniques.
As Royal grows more active and aggressive, it is essential to be wary of the ongoing threat of ransomware and implement security best practices.
<< photo by Tima Miroshnichenko >>
You might want to read !
- “White House Unveils New AI Initiatives: DEF CON Event to Vet AI Software”
- “Ransomware Hackers Target Corporations: Inside the Dragos Employee Data Breach”
- Updating Legacy Systems: Mitigating the Risk of Old Vulnerabilities
- Google’s New Cybersecurity Career Certificate Program: Bridging the Skills Gap
- OpenSSF’s Open Source Software Security Initiative Secures $5 Million Funding.
