# Dark Web Profile: Royal Ransomware **socradar.io/dark-web-profile-royal-ransomware/** **_By SOCRadar Research_** January 9, 2023 Ransomware attacks have been rising in recent years, with the frequency of attacks increasing. In 2021, several high-profile ransomware [attacks made headlines, such as the attack on the Colonial Pipeline. This attack resulted in the temporary shutdown of the pipeline, which](https://socradar.io/from-fuel-shortages-to-gas-hikes-how-the-colonial-pipeline-co-fell-victim-to-a-ransomware-attack/) caused fuel shortages and panic buying in some areas. This incident could have led to a crisis within the country. [In addition to targeting large companies, ransomware attacks are frequently directed at small businesses, hospitals, and other organizations](https://socradar.io/verizon-2022-dbir-all-sizes-of-businesses-suffer-from-ransomware/) with less robust cybersecurity measures. In November 2022, the Royal Ransomware group was the most actively operating ransomware group, and the group is continuing to damage organizations. ----- _Daily Dark Web’s infographic of_ _Ransomware activities in November 2022 (Source: Daily Dark Web)_ ## Who is Royal Ransomware Group? [Royal Ransomware strain was first detected on DEV-0569’s (threat actor) operations in September 2022. The actors behind the Royal are](https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/) [composed of experienced individuals from other ransomware operations, such as Conti, and operate independently without any affiliates.](https://socradar.io/conti-ransomware-ended-they-operate-with-other-groups-now/) [Royal Ransomware group operates professionally rather than adopting Ransomware-as-a-Service as most other groups work.](https://socradar.io/what-is-ransomware-as-a-service-raas/) [According to SOCRadar’s dark web team’s findings, Royal Ransomware primarily targets the manufacturing industry. It could be because of](https://socradar.io/manufacturing-industry-pays-the-highest-average-ransom-at-2-04m/) the broad attack surface area, such as various specialized equipment and managed software used in the field. Plus, the limited IT and security workforce may have led to factories becoming easy targets for cybercriminals. In addition, the probability of getting paid the ransom is high for ransomware groups considering that the extended downtime will increase the damage to facilities. ----- _Targeted industries of Royal_ _Ransomware_ ## How Royal Ransomware Group Attacks? According to [BleepingComputer, Royal Ransomware attacks used a technique called callback phishing, which involves tricking victims into](https://www.bleepingcomputer.com/news/security/new-royal-ransomware-emerges-in-multi-million-dollar-attacks/) believing they need to take some action, such as returning a phone call or opening an email attachment. ----- _An example of Royal’s callback phishing mail (Source:_ _Bleeping Computer)_ When the victim reaches Royal, the group uses social engineering techniques to persuade the victim to install their remote access software -a [malware downloader that poses legitimate applications like Zoom and Microsoft Teams– and get initial access to the network of the victim’s](https://socradar.io/top-5-tactics-threat-actors-use-for-initial-access/) organization. ----- _Diagram of_ _[DEV-0569‘s attack chain, which is a threat actor that uses Royal Ransomware actively (Source: Microsoft)](https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/)_ SOCRadar Researchers took a sample and analyzed Royal Ransomware, which is detailed in the “Analysis of Royal Ransomware” section below. In addition, the group generally uses the double-extortion method, which means they also exfiltrate sensitive data before encrypting it for ransom. Also, the group’s ransom demand ranges between $250,000 to over $2 million. ### Which Countries Did Royal Ransomware Target? Royal ransomware group’s victims are commonly from Europe and the American continent. _Affected countries by Royal Ransomware_ SOCRadar researchers analyzed about 70 observed claims from Royal Ransomware since September 2022 and found that around 69% of the attacks were made against organizations in the United States ----- Royal Ransomware’s percentage distribution of target countries from its latest attacks ### Findings on Royal Ransomware Since it has damaged about 75 organizations and continues its operations actively, SOCRadar researchers browsed open sources. They [examined the Royal Ransomware sample obtained from the Malware bazaar platform to learn which activities are happening after it starts](https://bazaar.abuse.ch/sample/f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429/) working on infected systems. The findings of the sample can be seen below: (You can find the IOCs of Royal Ransomware used in the analysis at the Appendixes section) Several anti-analysis techniques were encountered when the Royal Ransomware ran step by step. After these stages were passed, it was seen that the process compares three arguments: “-path,” “-id,” and “-ep.” The“-id” parameter could be for the victim ID, “-path” could be for the directory path, and the “-ep” parameter, as we observed, refers to the encryption percentage of the file. ----- _“-path”, “-id”, and “-ep” parameters used_ _in Royal Ransomware_ [Also, the program skips the encryption process for all the files with extensions “dll,” “bat,” “royal,” or “exe.“](https://socradar.io/lets-start-from-the-beginning-what-is-encryption/) _Skipping files with extensions dll, bat, exe, and royal._ ----- _Skipping files with extensions dll, bat, exe, and_ _royal._ The program encrypts files using AES and IV and changes the extension of files with “.royal.” _[AES and IV key generation processes (Source: TrendMicro)](https://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html)_ When the encryption process starts, the first “README.TXT” file, which contains the ransom note, is created under the C:\Program Files directory. _First file that contains_ _ransom note observed in C:\Program Files_ ----- _[Royal’s Ransom note (Source: BleepingComputer)](https://www.bleepingcomputer.com/news/security/new-royal-ransomware-emerges-in-multi-million-dollar-attacks/)_ The URL link in the ransom note directs the victim to the Contact page of Royal: _Contact form page of Royal_ The Royal group uses another page to share their claims: ----- _Royal’s page that they share their claims and links of their exfiltrated files_ [Security researchers observed that the group first used BlackCat‘s encryptors and Zeon’s ransom notes. These notes changed to Royal’s](https://socradar.io/dark-web-profile-blackcat-alphv/) ransom notes in September 2022. _Zeon ransom note (Source: BleepingComputer)_ Additionally, the ransom note used by Royal ransomware was similar to that used by Conti –observed as Zeon after Conti stopped operating[and the code used to decrypt files was also used by Conti.](https://twitter.com/albertzsigovits/status/1576887610693369856) ### Royal Ransomware Malware Analysis Executive Summary ----- **Threat** **Identifiers** **Name** Royal Ransomware **Threat** **Type** Ransomware **Detections** [Full List (VirusTotal)](https://www.virustotal.com/gui/file/f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429) **Tor** **Address** **Noticeable** **Behaviors** - hxxp[:]//royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid[.]onion - hxxp[:]//royal4ezp7xrbakkus3oofjw6gszrohpodmdnfbe5e4w3og5sm7vb3qd[.]onion Ransomware skips the encryption process for all the files with extensions “dll, bat, royal, exe.“ Those sub-folders and files are not encrypted by the ransomware. “Windows, Royal, Perflogs, Tor browser, Boot, $recycle.bin, Windows.old, $window.~ws, $windows.~bt, Mozilla, Google” **Conclusion** The attacks of this group occur more often, and their pattern should be kept in mind to be safe. The group mainly uses callback phishing to get initial access to its victims. Organizations should provide cybersecurity awareness training for their employees to prevent attacks from callback phishing. Royal ransomware is a recent threat that appeared in 2022 and was particularly active during recent months. The ransomware deletes all Volume Shadow Copies and avoids specific file extensions and folders. It encrypts the network shares found in the local network and the local drives. A parameter called “-id” that identifies the victim and is also written in the ransom note must be specified in the command line. The files are encrypted using the AES algorithm (OpenSSL), with the key and IV being encrypted using the RSA public key that is hard-coded in the executable. The malware can fully or partially encrypt a file based on the file’s size and the “-ep” parameter. The extension of the encrypted files are changed to “.royal.” ### Ransomware Composition When run as an administrator, Royal ransomware runs two sub-processes and terminates them after. Terminations could be because the tool used for analysis may be detected by the parent process, or it could terminate itself by detecting the virtual machine environment. This will be answered in the static analysis section. The findings gathered using Sysmon, Process Monitor and Event Viewer can be seen in the table below: **Process Name** **Command Line** vssadmin.exe delete shadows /all /quiet conhost.exe \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 slui.exe \??\C:\WINDOWS\System32\slui.exe -Embedding **vssadmin.exe** Volume Shadow Copy Service or VSS is a Windows service that allows taking manual or automatic backup copies (snapshots) of computer files or volumes, even when they are in use. It is executed as a Windows service called the Volume Shadow Copy service. **conhost.exe** Microsoft provides the conhost.exe (Console Windows Host) file and is usually legitimate and completely safe. conhost.exe needs to run to allow Command Prompt to work with Windows Explorer. One of its features is that it gives you the ability to drag and drop files/folders straight into Command Prompt. ----- ### Static Analysis **Overview** **File Name** Royal.exe **File Size** 3.013 KB **File Type** Win32.exe **MD5** df0b88dafe7a65295f99e69a67db9e1b **SHA-1** db3163a09eb33ff4370ad162a05f4b2584a20456 **SHA-256** f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429 The ransomware was written in C++ and was not packed even with an entropy value of ‘6.60303’, which is thought to be 82% packed malware first. Let’s examine the strings and see if we can find anything during the analysis. You can see the entropy value in the screenshot below. When we searched for HTTP in the strings, we found an output. This onion URL may be the contact address of Royal Ransomware. The first function call at the program’s start is shown in the screenshot below: ----- Anti-Debugger control is provided with “IsDebuggerPresent” API. If the EAX register takes 1 as a value, the program will close itself, and it is not possible to debug with the analysis tools; that’s why it is necessary to change it to 0 to run the program without closing. The anti-Debugger Bypass technique will be done during Dynamic analysis. ----- The function related to the OpenSSL and RC4 encryption stage is given in the image below: The ransomware imports a hard-coded RSA public key. The OpenSSL library will be used to encrypt the files using the AES algorithm, with the AES key being encrypted using the RSA public key: ----- ### Dynamic Analysis When executing the Royal ransomware, it takes three arguments. In this section, we will start the dynamic analysis phase by showing what they are and for what they are used. When we run the program, it performs backup deletion -with child processes using the parameters we specified in the Ransomware Composition section- with vssadmin.exe and conhost.exe. Conhost.exe must be run to allow Command Prompt to work with Windows Explorer. One of its features is that it will enable you to drag and drop files/folders directly into Command Prompt. ### ANY.RUN Process Graph Behavioral Information Reads the computer name Checks supported languages The process checks LSA protection royal.exe x PID: 1568 x vssadmin.exe x x PID: 4768 conhost.exe PID: 4892 PID: 4892 PID: 4892 slui.exe x x PID: 1672 When we examined the network activity, we could not find any interaction with blacklist IP addresses. All requested domain addresses are legal addresses and whitelist IP addresses. Since it is a 64-bit program, let’s run it step by step by marking the relevant parts using x64dbg in the virtual environment. ----- u g t e ebugge, e e t y to o e o a d by putt g a b ea po t o a e spec c s, t e p og a c oses tse a d pe o s t e terminate operation. It is clearly understood that Anti-Analysis techniques, which we see in the Static analysis section, are used. Command line arguments: – path: The path to be encrypted. – ep: The number that represents the percentage of the file that will be encrypted. – id: A 32-digit array. Re-examined code part where the parameters are run with Ghidra can be found below: ----- ### Anti-Analysis Section We saw the EAX Register value as 1 for IsDebuggerPresent, an important API that we constantly encounter in malware and will make the analyst’s job more difficult. Let’s check again with Ghidra and start looking at what we can do for an anti-analysis bypass. As we will see in the screenshot below, if we directly pass the function call made at the base address “00007FF6FDE0296D”, the program performs the terminate operation. ----- Let’s skip the executing process by changing the RIP address before it terminates the process using the function call and continue exploring it. We’ve detected another function call that performs another terminate operation “00007FF6FDE029CF”. Let’s perform the previous RIP address change at this stage as well. It repeats the same actions. Now let’s start reviewing the parts we skipped. After we got through the Anti-Analysis stages, we continued monitoring the program’s operation, as seen in the image below. Once the backups have been deleted, Royal ransomware will set its exclusion paths (the files or directories spared from file encryption). The following file extensions will be excluded from being encrypted: .exe, .dll, .bat, .lnk, README.TXT, .royal ----- Next, the ransomware will set the list of directories excluded from the encryption process. These directories are the ones that contain the following strings: – Windows, RoyalPreflogs, Tor Browser, Boot $recycle.bin, Windows.old, $windows.~ws, $windows.~bt, Mozilla, Google. ### Network Activity Ransomware will scan the network interfaces and, if possible, retrieve the different IP addresses for the target machine/machines using the “GetIpAddrTable” API call. It will specifically search for IP addresses that start with “192.10.100./ 172.” Royal ransomware will establish a socket using the API WSASocketW and associate it with a completion port using CreateIoCompletionPort. It then will use the API call tones to set the port to SMB and eventually try to connect to the instructed IP addresses via the LPFN_CONNECTEX callback function. Ransomware will enumerate the shared resources of the given IP addresses using the API called NetShareEnum. If a shared resource is one of “\\\ADMIN$” or “\\\IPC$”, the ransomware will not encrypt it. ### Encryption Royal ransomware’s encryption is multi-threaded. To choose the number of running threads, the ransomware will use the API call GetNativeSystemInfo to collect the number of processors in a machine. It will then multiply the result by two and create the appropriate number of threads accordingly. Next, the ransomware will set the RSA public key, embedded in the binary in plain text and used for encrypting the AES key. **RSA Public Key: —–BEGIN RSA PUBLIC KEY—–** \nMIICCAKCAgEAuWfX+pJCUCKc9xsWLVHpCpw6TL20HG/Vk4vF3GYlr6HltX7BMRfA\n7oGyMztNb37xW66NX+uxHghrX3+sm23yJmSfres ----- Regarding partial encryption, Royal ransomware gives the ransomware operator a more flexible solution for evading detection than most ransomware. We assume this flexibility and the evasion potential it enables was a design goal for the creators of Royal ransomware. ### Latest Attacks of the Group [Ransomware attacks on the healthcare industry increased by 81.1% in 2022 compared to 2021. Also, Health Sector Cybersecurity](https://socradar.io/5-lessons-learned-from-healthcare-industry-cyberattacks-in-2022/) [Coordination Center (HC3) draws attention to this issue in its latest analysis of Royal Ransomware. Some recent attacks made in the](https://www.hhs.gov/sites/default/files/royal-ransomware-analyst-note.pdf) healthcare industry, such as compromising the Northwest Michigan Health Services and Happy Sapiens Dental firms, are made from Royal Ransomware. The group may likely target this sector more often in the future. _Royal’s post about the Happy Sapiens_ _Dental_ ----- O e o t e oya s ost s g ca t c a s s t e co p o se o O, a e ca te eco u cat o s co pa y t o e t a **0** employees. It is unknown which data was stolen, but according to Royal, they exfiltrated internal documents, passports, and driver’s licenses of INTRADO’s employees. _Royal’s_ _claim about INTRADO_ Countries affected by Royal Ransomware over time, based on our findings from around 70 observations, can be seen below: _Timeline of Royal Ransomware attacks_ The SOCRadar dark web team constantly monitors ransomware activities and reports in the SOCRadar Dark Web News panel. ----- _SOCRadar’s Dark Web News panel under the Cyber Threat Intelligence module_ ### Conclusion The attacks of this group occur more often, and their pattern should be kept in mind to be safe. The group mainly uses callback phishing to get [initial access to its victims. Organizations should provide cybersecurity awareness training for their employees to prevent attacks from callback](https://socradar.io/building-cybersecurity-awareness-for-organizations/) phishing. Employees should: Be cautious of unsolicited calls, texts, or emails, especially if it asks to provide personal information or login credentials. Be cautious when providing personal information online. Do not click links or download attachments from unknown sources. Use strong passwords and assist it using 2FA or MFA solutions. Keep their systems up to date, which will help protect the devices from vulnerabilities that could be exploited. Organizations -especially those operating in the Manufacturing and Healthcare sectors- should: Regularly update and patch software and systems. Regularly back up important data and test the backups. Use network segmentation and access controls to limit attackers’ movement within the network. Deploy and regularly update security software. (e.g., firewalls and antivirus) These measures can help reduce the risk of Royal Ransomware, but no security measures are foolproof. It is vital to have a response plan in place in case of an attack. ### Appendixes **Appendix 1.** **Royal Ransomware (used sample’s information)** **MD5:df0b88dafe7a65295f99e69a67db9e1b** **SHA-1:db3163a09eb33ff4370ad162a05f4b2584a20456** **SHA-256: f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429** **File Type:Win32 EXE** **IOCs of Royal Ransomware:** 104.86.182.8:443 (TCP) 20.99.133.109:443 (TCP) 20.99.184.37:443 (TCP) 23.216.147.64:443 (TCP) ----- 3 6 6 3 ( C ) a83f:8110:0:0:64ca:1f00:0:0:53 (UDP) a83f:8110:1749:73ff:1749:73ff:1a4b:73ff:53 (UDP) a83f:8110:8401:0:2075:2cc:8401:0:53 (UDP) hxxp[:]//royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid[.]onion/%s README.txt **Appendix 2.** **MITRE ATT&CK Techniques** **Techniques** **Name** T1059 [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059/) T1106 [Native API](https://attack.mitre.org/techniques/T1106/) T1559.001 [Inter-Process Communication: Component Object Model](https://attack.mitre.org/techniques/T1559/001/) T1129 [Shared Modules](https://attack.mitre.org/techniques/T1129/) T1055 [Process Injection](https://attack.mitre.org/techniques/T1055/) T1134 [Access Token Manipulation](https://attack.mitre.org/techniques/T1134/) T1134.001 [Access Token Manipulation: Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001/) T1070.004 [Indicator Removal: File Deletion](https://attack.mitre.org/techniques/T1070/004/) T1622 [Debugger Evasion](https://attack.mitre.org/techniques/T1622/) T1027 [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027/) T1140 [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140/) T1082 [System Information Discovery](https://attack.mitre.org/techniques/T1082/) T1622 [Debugger Evasion](https://attack.mitre.org/techniques/T1622/) T1057 [Process Discovery](https://attack.mitre.org/techniques/T1057/) T1083 [File and Directory Discovery](https://attack.mitre.org/techniques/T1083/) T1135 [Network Share Discovery](https://attack.mitre.org/techniques/T1135/) T1518 [Software Discovery](https://attack.mitre.org/techniques/T1518/) T1560 [Archive Collected Data](https://attack.mitre.org/techniques/T1560/) T1090 [Proxy](https://attack.mitre.org/techniques/T1090/) ----- -----