A new ransomware operation dubbed “Royal” is targeting organizations with ransom demands ranging from $250.000 to over $2 million.
A new report from BleepingComputer in collaboration AdvIntel researchers has investigated the group’s encryptor and its methodology. The ransomware group was first identified in January 2022 and includes vetted and experienced hackers from past operations.
Interestingly, it does not operate as a Ransomware-as-a-Service (RaaS), but instead as a private group without partners or affiliates. At first, the group employed the encryptors of other ransomware operations, such as the BlackCat example, before utilizing its own encryptors, the first being Zeon, an encryptor that designs ransom notes identical to Conti’s.
Royal modus operandi
Based on the observations gathered by threat analysts, this month, the Royal ransomware used a new encryptor and its name in ransom notes to represent itself accurately. The security experts have also identified that the hacking group is working underground and has not employed a data leak site to disclose their activities.
The malicious campaign is employing a technique called “callback phishing,” wherein the Royal hackers mimic software vendors and food delivery platforms in emails, pretending to be an offer to renew a subscription.
When victims call the number, the ransomware operators employ social engineering to lure them into installing remote access software, thus acquiring access to the corporate network. Subsequently, the hackers execute multiple attack procedures, eventually leading to the encryption of the exploited devices. They employ Cobalt Strike to spread out across the network, collect credentials, steal data, and finally encrypt machines.
The targeted individuals would then discover a ransom note, named README.TXT, containing a Tor link to engage in negotiations with malicious hackers. The ransomware operators will offer their demand, with ransom amounts ranging from $250.000 to over $2 million. To prove that they have the firm’s data, Royal will decrypt a few files and share lists of the siphoned data.
It remains unclear how successful the operation is because at the time of writing there are no reports of any victims actually paying for the decryption key. The researchers have strongly recommended network, windows, and security admins to keep an eye on the activities of this group, as they are ramping up their operations and will likely surge to become a significant business-targeting ransomware operation.
