{
	"id": "a02acf95-b9d8-471c-855a-0cf009777b5e",
	"created_at": "2026-04-06T00:06:37.010396Z",
	"updated_at": "2026-04-10T03:21:02.138073Z",
	"deleted_at": null,
	"sha1_hash": "5f412290a11abea40e003c83dec9cd9bf8b4d343",
	"title": "Security Alert: Royal Ransomware Targeting Firewalls",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 66650,
	"plain_text": "Security Alert: Royal Ransomware Targeting Firewalls\r\nBy Leeann NicoloApril 11, 2023\r\nArchived: 2026-04-05 14:22:33 UTC\r\nStarting in January 2023, Coalition Incident Response, Inc. (CIR), a technical forensic and remediation firm,\r\nbegan to see increased instances of Royal Ransomware impacting policyholders. Royal Ransomware is a\r\nsophisticated malware strain often associated with a group of highly experienced threat actors with documented\r\nsimilarities to former members or associates of the Conti cybercriminal gang. \r\nThis increase in activity impacting cyber insurance policyholders was extremely concerning since, in most of\r\nCIR’s past experiences with the Royal Ransomware strain, the demands entered the millions, with the highest\r\ndemand Coalition’s claim team has seen reaching above $2 million.\r\nOur claims team has received claims from multiple policyholders experiencing almost the same type of attack.\r\nCIR began looking for similarities between these seemingly disparate instances since all the victims were from\r\ndifferent industries, different regions, and different-sized companies.\r\nA common thread\r\nThe ransomware variant detected by CIR appears to have similar indicators of compromise (IOCs) shared between\r\neach impacted policyholder. As we looked for consistencies across the multiple cases, we noticed a unique\r\nparallel: all of the companies were using an end-of-sale (EOS) firewall appliance. \r\nEOS is the last day to order the product directly from a vendor, and for a period of time after the EOS date, the\r\nvendor may provide updates and support. In contrast, end-of-life (EOL) products are no longer supported by the\r\noriginal vendor and cannot be upgraded or patched.\r\nIn all cases, the impacted organizations didn’t have their firewall logging retention set long enough to investigate\r\nfully. Logging retention is extremely important as it allows a forensic team to piece together the details of the\r\nattack in order to prevent it from recurring.\r\nIn each of the cases that CIR investigated, we also discovered virtual private network (VPN) compromises. The\r\nthreat actors appeared to be gaining access to the victim organizations’ VPNs and connecting a device named\r\n“Kali” to act on objectives. Kali Linux is a platform that supports information security tasks like penetration\r\ntesting, security research, computer forensics, and reverse engineering. Both cyber criminals and security\r\nadministrators widely use it. The VPNs were all managed by the firewall device.\r\nIf you have any kind of firewall installed, keep reading\r\nCIR has noticed an uptick in attacks exploiting firewalls, leading, in some cases, to the encryption of an entire\r\nnetwork. In other cases, the attack pattern is simpler, wherein the threat actor sends a phishing email, harvests\r\ncredentials, and then accesses the external-facing VPN. \r\nhttps://www.coalitioninc.com/blog/active-exploitation-firewalls\r\nPage 1 of 3\n\nIn cases like these, acting fast is key. For example, one of our policyholders contacted us via phone just as the\r\nthreat actor was scanning their network. Even though the attackers were able to access some data successfully, the\r\npolicyholder effectively avoided data encryption by starting the investigation within two hours of identifying\r\nthe suspicious activity.\r\nWhat should you do?\r\nOne of the most critical actions an organization can take to help avoid these risks is to patch, patch, patch.\r\nOrganizations should always ensure they use the most up-to-date versions of their firmware and software. \r\nA best practice is to remove your firewall and move toward Secure Access Service Edge (SASE) technology\r\nto protect your network perimeter. The SASE security model allows IT teams to consolidate many networking and\r\nsecurity functions into a single cloud service that restricts access based on user, device, and application identity. \r\nSASE uses a zero-trust network access component, meaning all users must be authenticated before being granted\r\naccess to an application or data. This helps prevent unauthorized access, contain breaches, and limit a threat\r\nactor’s lateral movement on the network should a breach occur. Due to SASE’s cloud-based nature, its\r\nimplementation has the additional benefit of removing the need to maintain the underlying infrastructure.\r\nIf a firewall is necessary for your organization’s security defenses, you should upgrade the firewalls as often as the\r\nbudget allows to ensure you are using new-and-improved technology. Enforcing multi-factor authentication on a\r\nfirewall is also crucial.\r\nAssessing your risk with Coalition Control\r\nAt Coalition, we continue to learn about the new tactics employed by this powerful ransomware group, and others\r\nlike it, so we can continue to advise our broker partners and policyholders and help them to create the best defense\r\npossible.\r\nThrough CIR and our other security experts and researchers, Coalition continues to monitor active exploitations\r\nand other incidents that impact or may potentially impact cyber policyholders. With Active Insurance, cyber\r\npolicyholders that obtain coverage through Coalition have the added benefit of receiving real-time security alerts\r\nduring their policy term as incidents and vulnerabilities evolve. \r\nAnd if the worst happens, Coalition is standing by and ready to help, providing tools and resources to help\r\nmitigate losses and remediate damages.\r\nTo access your risk management dashboard and understand your on-demand scanning capabilities, log in to\r\nCoalition Control.\r\nInsurance products referenced herein are offered by Coalition Insurance Solutions, Inc. (“CIS”), a licensed insurance producer with\r\nits principal place of business in San Francisco, CA (Cal. license #0L76155), acting on behalf of a number of unaffiliated insurance\r\ncompanies. A list of our admitted carrier is available here. Complete license information for CIS is available here. Insurance products\r\noffered through CIS may not be available in all states. All insurance products are governed by the terms and conditions set forth in the\r\napplicable insurance policy. Please see a copy of your policy for the full terms and conditions. Any information on this communication\r\ndoes not in any way alter, supplement, or amend the terms and  conditions of the applicable insurance policy and is intended only as a\r\nhttps://www.coalitioninc.com/blog/active-exploitation-firewalls\r\nPage 2 of 3\n\nbrief summary of such insurance products. Policy obligations are the sole responsibility of the issuing insurance carrier. The\r\ndescriptions provided herein are solely for informational purposes and are not to be construed as advice of any kind or the rendering\r\nof consulting, financial, legal, or other professional services from Coalition. Any action you take upon the information contained\r\nherein is strictly at your own risk. Coalition will not be liable for any losses and damages in connection with your use or reliance upon\r\nthe information.\r\nSource: https://www.coalitioninc.com/blog/active-exploitation-firewalls\r\nhttps://www.coalitioninc.com/blog/active-exploitation-firewalls\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.coalitioninc.com/blog/active-exploitation-firewalls"
	],
	"report_names": [
		"active-exploitation-firewalls"
	],
	"threat_actors": [],
	"ts_created_at": 1775433997,
	"ts_updated_at": 1775791262,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5f412290a11abea40e003c83dec9cd9bf8b4d343.pdf",
		"text": "https://archive.orkl.eu/5f412290a11abea40e003c83dec9cd9bf8b4d343.txt",
		"img": "https://archive.orkl.eu/5f412290a11abea40e003c83dec9cd9bf8b4d343.jpg"
	}
}