Firms are warned about the emergence of the Royal ransomware

September 30, 2022
Threat Warning Royal Ransomware Malware Callback Phishing Extortion

A new ransomware operation dubbed “Royal” has recently emerged in the threat landscape, consisting of a group of expert ransomware operators. This new campaign targets large corporations and extorts them with about $250,000 to over $2 million worth of ransom demands.

Launched in January 2022, the new Royal ransomware operates differently from the usual Ransomware-as-a-Service campaigns because of its infrastructure built by private members without partners or affiliates.

At the beginning of their campaign, the Royal ransomware operators utilised other ransomware groups’ encryptors and then gradually developed and used their own over time. Their first encryptor was named “Zeon,” which researchers said was comparable to Conti ransomware.

 

From Zeon, the ransomware group rebranded its operations to Royal.

 

Based on the observations gathered by security researchers, this month, the Royal ransomware used a new encryptor and their name in ransom notes to represent themselves accurately. The researchers have also noted that the threat group is relatively silent with their attacks and has not used a data leak site to announce their activities.

Moreover, because of the spotted activity of the Royal ransomware group this month, security researchers have collected a sample from them and formed a depiction of their threat campaign. This campaign includes a tactic called “callback phishing,” wherein the Royal hackers impersonate software providers and food delivery platforms in emails, pretending to be an offer to renew a subscription.

The phone numbers attached to the malicious phishing emails are contacted by the targets supposedly for canceling the said subscription notice. However, behind the call is the threat actors who will perform a social engineering tactic to lure the victims into installing malicious remote access software.

If the victim falls prey, the installed remote access software will be the operators’ vector to gain initial access to the victim’s corporate network and proceed to the next attack stages. The threat actors will then execute several attack procedures, eventually leading to the encryption of the compromised devices.

The attack’s ransom note will be printed on the victim’s network printers, containing a link to a private Tor site where the operators and the victims are supposed to communicate. As of now, security researchers have not spotted any successful payment with the Royal ransomware, considering that they are requesting multi-millions worth of ransom.

For now, the best recommendation for users and corporate networks to evade being victimised is to ignore suspicious emails and calls from unknown entities, implement trusted anti-virus software, and be more mindful of potential cyberattack attempts.

About the author

Leave a Reply