CISA, FBI Shed Light On Royal Ransomware Cyberattack Tactics

March 08, 2023 - Royal ransomware is continuing to be used in aggressive cyberattacks against critical infrastructure. As previously reported, the group poses a significant threat to the healthcare sector.

To help organizations mitigate risk, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint cybersecurity advisory (CSA) about the variant, providing the most comprehensive overview of the group’s tactics to date.

Since September 2022, cyber threat actors have leveraged the Royal and its custom-made file encryption program to gain access to victim networks and request ransoms ranging from $1 million to $11 million, CISA and the FBI found.

“In observed incidents, Royal actors do not include ransom amounts and payment instructions as part of the initial ransom note. Instead, the note, which appears after encryption, requires victims to directly interact with the threat actor via a .onion URL (reachable through the Tor browser),” the CSA stated.

“Royal actors have targeted numerous critical infrastructure sectors including, but not limited to, Manufacturing, Communications, Healthcare and Public Healthcare (HPH), and Education.”

Royal actors have been known to gain initial access to networks by conducting phishing schemes, compromising remote desktop protocol (RDP), and exploiting public-facing applications. Royal threat actors have also been observed repurposing legitimate Windows software to “strengthen their foothold in the victim’s network” and leveraging RDP to move laterally across the network.

“Royal actors exfiltrate data from victim networks by repurposing legitimate cyber pentesting tools, such as Cobalt Strike, and malware tools and derivatives, such as Ursnif/Gozi, for data aggregation and exfiltration,” the CSA continued. “According to third-party reporting, Royal actors’ first hop in exfiltration and other operations is usually a U.S. IP address.”

The CSA contained detailed indicators of compromise (IOCs) which may be used by security teams to vet IP addresses and detect suspicious activity.

The FBI and CISA also recommended that network defenders implement key mitigations aligned with CISA’s Cybersecurity Performance Goals (CPGs), which were released in October 2022.

Specifically, the authoring entities recommended that critical infrastructure organizations implement a strong recovery plan, require multi-factor authentication (MFA), segment networks, and keep all operating systems up to date.

Lastly, the FBI and CISA reminded entities that they do not encourage paying a ransom to threat actors, “as payment does not guarantee victim files will be recovered.”

“Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.”

As threat actor sophistication continues to grow, critical infrastructure entities must ensure that they have robust security programs in place to defend against cyberattack attempts.