Fraud Management & Cybercrime , Ransomware , Social Engineering

Fake Data Theft Proof Leads to Royal Ransomware Outbreak

Tranche of Stolen Data Is Disguised Royal Ransomware Installer, Researchers Warn
Fake Data Theft Proof Leads to Royal Ransomware Outbreak
Image: Shutterstock

Hacking is hard. Having users install their own ransomware is much easier, a Russian-speaking threat group has concluded.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

The Royal ransomware group - another offshoot of the disbanded Conti group - appears to have targeted more than 1,000 organizations with a social engineering attack designed to trick victims into trusting the attackers, said researchers at threat intelligence firm Red Sense.*

The firm last month identified a spam campaign that appears to trace to Royal and that layers on the deception, first by falsely notifying victims that they've been attacked by a ransomware group and then by pressuring them into opening a file that purportedly lists what was stolen but is really a malware loader.

If the victim falls for the social engineering attack, they really might fall victim to ransomware.

The scheme may have even concocted a fake version of the Midnight Group, said Yelisey Bohuslavskiy, Red Sense's chief research officer.

Incident response firm Arete recently detailed these apparent Midnight Group attacks, assessing that the group's claims to have infected victims with ransomware appeared to be fake. "Victims of this fraud campaign receive emails claiming the Midnight Group was behind the original ransomware attack, and their data will be posted on the dark web if they do not pay," Arete reported, noting that Midnight first began operating in 2019.

Red Sense says the deception goes even deeper - that claiming these attacks were launched by Midnight is itself a fake scheme likely cooked up by Royal. This assessment is based in part on the attack telemetry and malware used by the attackers, as well as the emails received by victims.

The ploy - scaring victims into thinking their systems have been locked by ransomware and then manipulating them into installing the actual ransomware - is a variation of a gambit known as BazarCall, a "callback phishing" tactic pioneered by Conti. Attackers contact victims over the telephone and pretend to be part of the technical support team staff at a software vendor or a food-delivery company. The attackers try to trick victims into installing remote control software. When successful, attackers use their access to install malware and attempt to further penetrate the network before stealing data and crypto-locking as many files as possible.

Post-Conti Groups

Royal is an outgrowth of Conti, which splintered about a year ago after a disastrous decision to publicly back the Kremlin in its war of choice against Ukraine, a stand that dried up victims' willingness to pay extortion.

The Royal group today counts "between 50 and 60 people" as participants, but most of them are "working in small teams" of four or five people who collaborate to find and take down new victims, Bohuslavskiy said.

When the Royal group first launched in early 2022, it used various types of ransomware, although none of its own design, researchers reported. In September 2022, the group began deploying its own ransomware, which appends .royal to the end of encrypted files. The group's initial ransom demands often ranged from $250,000 to over $2 million, researchers said at the time.

In December 2022, U.S. officials warned that Royal appeared to be amassing healthcare targets. Last month, they said that the overall volume of the group's attacks appeared to be picking up steam.

"They have escalated their attacks to focus on top tier-corporations for larger ransoms," security researchers Laurie Iacono and Stephen Green at incident response firm Kroll reported in February.

Target: Windows and Linux

Using BazarCall strategies isn't the only trick up Royal's sleeve. While the group's initial ransomware targeted Windows systems, researchers last month spotted a new variant designed to infect Linux systems.

"The two executables are somewhat similar in functioning, barring some different modules, such as the existence of a network scanner in the Windows version, while the Linux version can shut ESXi virtual machines down," security researchers Alexandre Mundo and Max Kersten at Trellix said in a research report released Monday.

To demonstrate some of the group's tactics, techniques and procedures, Trellix published details of an incident response engagement it handled at the end of last year against a victim it declined to identify.

Trellix said this Royal ransomware attack began with a phishing email that instructed the recipient to download a file that eventually executed a Qbot payload, which is also used by some other post-Conti groups.

About four hours into the attack, "Cobalt Strike was installed as a service on a domain controller," and attackers began moving laterally, escalating privileges and running some PowerShell scripts, the Trellix researchers said. Several days later, attackers exfiltrated over 25 gigabytes of data and a few days after that, they unleashed Royal ransomware, which used partial encryption to more rapidly encrypt files.

"The ransomware's encryption scheme seems to be implemented properly," meaning there are no obvious ways to crack flaws in its implementation to forcibly decrypt files, the researchers said. "As such, recent backups or a decryptor are the only ways to recover lost files."

*Correction April 5, 2023 08:31 UTC: This story has been updated to correct the count of organizations targeted by Royal's scheme to over 1,000.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.