# Reconstructing the last activities of Royal Ransomware

**yoroi.company/research/reconstructing-the-last-activities-of-royal-ransomware/**

11/17/2022

## Introduction


November 17, 2022


[Royal Ransomware is a new group first spotted on Bleeping Computer last September, where the cybersecurity news site revealed](https://www.bleepingcomputer.com/news/security/new-royal-ransomware-emerges-in-multi-million-dollar-attacks/)
a connection with another malware known as Zeon.

At the moment, we don’t have much information about the group and all its actual TTPs, but we know that they use the Double
Extortion model to threaten the victims, as stated inside the ransom note.

Figure 1: Ransom Note

## About Royal Ransomware Group

The Cyber intelligence community has proof that the group started its malicious activities since January, with other ransomware
payloads. So, we can say they started their malicious career as affiliated with other Ransomware-as-a-Service providers. But it
only the last two months, it started to apply the Double Extorsion model, with an ad-hoc website in the Dark Web.


-----

Figure 2: Royal Ransomware main page
During its existence, it seems that the ransomware group didn’t adopt the Ransomware-as-a-Service model to recruit other
affiliates to infect victims. The reason might be that the core team wants initially to create a malicious “brand positioning” inside the
threat landscape.

Figure 3:

Distribution of the Attacks
At the same time, we don’t know which toolkit is used to implement the exfiltration capability. We don’t know if the group uses
some custom malware, or if it leverages public storage platforms, such as Mega, Dropbox, etc.

## Technical Analysis


-----

We managed to obtain a recent specimen of this threat and analyzed its features and malicious capabilities, in order to create
signatures and provide technical insight to better detection.

Tha analyzed sample has the following static information:

Hash 9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926

Threat Royal Ransomware


Brief
Description


Ransomware payload


SSDEEP 49152:cDVwASOLGtlqrRIU6i9+vazNqQlJZP1BMU2thA8mNtNCiJlrRUFcJ7HIPcLzk+5c:wm+GaNqqJJ12vlZol8cJ7rcl

Figure 4: Static

Information about the sample
Royal Ransomware is written in C/C++ and it is launched by command line. That behavior suggests that there is a previous and
totally human-operated intrusion performed by a pen-testing team, which gained access to the internal network and performed
privilege escalation and lateral movement operation.

When the executable is launched, it needs three parameters, otherwise the infection doesn't start:


-----

Figure 5: Parameters needed by Royal

Ransomware
We constructed a table with the three parameters found inside the sample and we provide a small description of that:

Parameter Description

-path Specifies an exact path where to encrypt files

-id Victim’s ID, needed to run the sample, must be 32 characters

-ep Encryption percentage (feature not implemented in this sample)

Table: Parameters description
After that, the sample starts the preparation of the ransomware operation by deleting the shadow copies:


-----

Figure 6: Deleting

Shadow Copies
Then, the malware starts the preparation for the encryption processes, by creating the lists of the elements to be excluded during
the fetching of files and folders. For the files’ extensions, the exclusions are:
```
.exe,.dll,.bat,.lnk,.royal,

```
Figure 7: Checking file extension

Instead, for the folders exclusion there are the following:
```
windows, royal, $recycle.bin, google, perflogs, mozilla, tor browser, boot, $windows.~ws, $windows.~bt, windows.old

```
Figure 8: Checking folder name

Royal Ransomware has also the capability to infect and encrypt the shared resources inside the internal network. It uses the
NetShareEnum seeking the “ADMIN$” and “IPC$” records and then, it proceeds to encrypt the files contained inside the shared
folders


-----

Figure 9: Network shares encryption

At this point, we have the encryption phase. Royal Group uses a mixture of RSA and AES algorithms. The RSA public Key is
hardcoded in the sample, and it is easy to retrieve that:

Figure 10: Public RSA Key

In the following scheme, we highlight the encryption routine and the result of the encryption of a test file:


-----

Figure 11: Encryption routine
The encryption routine is assisted by the OpenSSL library. An AES key is randomly generated and then it is protected with the
RSA public key. In this way, the ransomware operator the encryption conserves the RSA private key to decrypt the original AES
key and then the files could be restored.

## Conclusion

The market of cyber extorsion is still growing and other threat actors are riding the wave of the most infamous 2022 trend. The
case Royal Ransomware Group is representative because it started by adopting the affiliation on the RaaS market, and when they
reached an appropriate expertise and experience, it created an independent group with a “proprietary” ransomware payload.

As stated, at the moment we have no proof they adopt the Ransomware-as-a-Service model, but the group is formed only by
talented pen-testers and malware developers aimed at making money through the Double Extorsion model. However, this doesn't
mean that in the near future the group will reach such a maturity that they will be capable of implementing the RaaS model.

## Indicators of Compromise

9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926
c24c59c8f4e7a581a5d45ee181151ec0a3f0b59af987eacf9b363577087c9746
5fda381a9884f7be2d57b8a290f389578a9d2f63e2ecb98bd773248a7eb99fa2
312f34ee8c7b2199a3e78b4a52bd87700cc8f3aa01aa641e5d899501cb720775
491c2b32095174b9de2fd799732a6f84878c2e23b9bb560cd3155cbdc65e2b80
2598e8adb87976abe48f0eba4bbb9a7cb69439e0c133b21aee3845dfccf3fb8f
f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429
7cbfea0bff4b373a175327d6cc395f6c176dab1cedf9075e7130508bec4d5393

## Yara Rules


-----

```
meta:

  author = "Yoroi Malware ZLab"

  description = "Rule for Royal Ransomware"

  last_updated = "2022-11-09"

  tlp = "WHITE"

  category = "informational"

strings:

  // x32

  $1 = {8d 84 ?? ?? ?? ?? ?? 50 ff 15 ?? ?? ?? ?? 83 f8 20 74 ?? 6a 00 ff 15 ?? ?? ?? ??}

  $2 = {68 ?? ?? ?? ?? ff 30 89 44 ?4 20 ff 15 ?? ?? ?? ?? 85 c0 75 ?? 8b 44 ?4 10 46 8b 0c b0 89 4c ?4 1c e9 ?? ?? ??
?? 8b 44 ?4 18 68 ?? ?? ?? ?? ff 30 ff 15 ?? ?? ?? ??}

  // x64

  $3 = {4? 8d ?? ?? ?? ?? ?? ff 15 ?? ?? ?? ?? 83 f8 20 74 ?? 33 c9 ff 15 ?? ?? ?? ??}

  $4 = { 4? 8d 15 ?? ?? ?? ?? ff 15 ?? ?? ?? ?? 85 c0 75 ?? 4? 8b 7b 08 ff c6 4? 83 c3 08 e9 ?? ?? ?? ?? 4? 8b 0b 4? 8d
15 ?? ?? ?? ?? ff 15 ?? ?? ?? ??}

condition:

  (($1 and $2) or ($3 and $4)) and uint16(0) == 0x5A4D

}

```
_This blog post was authored by Luigi Martire, Carmelo Ragusa of Yoroi Malware ZLAB_


-----