A Royal update

December 16, 2022

The latest and greatest on the Royal ransomware operation…

Introduction

In the past months we have supported multiple organisations that were hit by ransomware threat actors. In this blog we would like to share some of the latest Tactics, Techniques & Procedures (TTPs) used by the Royal ransomware group. Hopefully this will help organisations and other incident responders that are working similar cases.

Royal ransomware

Royal has been very active in the past few months. Analysis of their leaksite (onion link) shows that just in November/December of 2022 they published almost 60 victims. Based on our incident response cases we know not all their victims are published on their leaksite so the actual number is even higher. If you want to know more about the group and their ransomware check out this Microsoft post.

TTP overview

Below an overview of observed TTPs for the Royal ransomware:

Highlights

Initial access malware execution
It remains interesting to see what tricks Qbot employs to evade detection of malicious attachment and to get it running on a host. For our case we see the following infection chain:

A shoutout to proxylife(https://twitter.com/pr0xylif)e on Twitter who follows this malware and shares details on the configuration and execution flow.

UAC Bypass
To run their malicious scripts the Royal group used a very interesting UAC bypass with a default scheduled task, this a known technique, but first time spotted in the wild for us. The interesting part is that it’s very easy to miss what is going on, this event is logged in PowerShell when this bypass is executed:

To learn more about this technique check out this blog by Elastic.

Hunting/Detection tips

One of the easiest ways to find traces of activity related to ransomware groups based on Windows event logs is searching for:

  • Scheduled Tasks in the Application Event Log;
  • PowerShell activity, by default Windows 7+ endpoints logs PowerShell activities quite well;
  • Window service installations, often used for persistence by Cobalt Strike.

Takeaways

  • Royal leverages more than one initial access malware family, IcedId was previously reported we see them using Qbot for initial access;
  • Heavy reliance on PowerShell to achieve objectives and used throughout the attack phases;
  • PowerSploit and AdFind remain popular choices for ransomware groups to perform reconnaissance and privilege escalation activities;
  • Speed over stealth approach, Royal ransomware operators move very quickly from initial access to full domain compromise without caring too much for alerts that are triggered by security products;
  • Relying on multiple backdoors and persistent access through Qbot and Cobalt Strike beacons;
  • Multiple data exfiltration destinations we’ve seen the Dropbox and MegaSync application being installed and used;
  • Scheduled tasks used for persistence and ransomware deployment.