Global, effective, and prolific: How the Royal ransomware group operates

The Royal group is believed to be largely composed of ex-members of the Conti ransomware gang, which, before it disbanded in early 2022, was known for particularly effective attacks on healthcare infrastructure, including emergency call lines and EMS services. A May 2021 attack caused Ireland to shut down the entire IT network of its healthcare system, leading to cancelled appointments and even delays in COVID-19 testing.

Royal is also known for its targeting of the healthcare sector, so much so that the US Department of Health and Human Services published a detailed advisory about the group and its methods in January 2022.

However, the Royal group has cast a far wider net in its 10 or so months of operation.

Victims

The group has claimed a total of 157 ransomware attacks against organisations as varied as retail and education, as well as utilities and telcos. The vast majority of its attacks have been against the manufacturing sector, followed by wholesale and retail operations, and legal services coming in third. Education and construction follow, with healthcare coming in as the sixth-most affected group.

In terms of numbers, that equates to 40 attacks against manufacturing targets, while the group has only targeted eight healthcare organisations. Local governments are also a target, with seven such incidents since 2022, including Royal’s recent attack on the city of Dallas, which saw a number of the city’s networks taken offline to assist in mitigating the attack.

Geographically, most of the group’s targets have been in the US. One hundred American organisations have fallen victim to Royal, with Canada following in a distant second, with 13 attacks. Germany, the UK, Italy and Brazil come next, with Australia apparently — and thankfully — a low-priority target.

Only three Australian organisations have been affected by Royal’s operations.

VIEW ALL

Methods

Royal uses a range of techniques to get inside target networks, including callback phishing, malvertising, SEO poisoning, exposed remote desktop protocol accounts, and compromised credentials.

The main aim of each, though, is to get a foot in the door of a target network. For instance, both SEO poisoning and malvertising both trick victims into downloading an apparently official-looking file or executable — but which is actually just the first part of Royal’s infection chain.

Royal uses a range of tools in its attacks, from PowerShell scripts to MSI files, but mostly revolve around getting the BatLoader malware installed on a target system. Once up and running, this malware can deploy more malicious payloads, notably Cobalt Strike.

Cobalt Strike is a popular threat emulation suite that is commonly abused by malicious actors and is often used in the lead-up to a ransomware attack. To further obfuscate its operations, Royal uses a number of Cobalt Strike servers masquerading as security companies, with domain names such as palaltocloud[.]online and kasperslkyupdate[.]com.

Researchers at Palo Alto’s Unit 42 group have observed a number of other tactics deployed by Royal, including using PowerTool to remove or disable endpoint security and NetScan to map out network structure. It then uses PsExec to move laterally within a network.

Royal has also been seen using another legitimate tool, Rclone, to assist in exfiltrating data ahead of running ransomware.

A couple of things set Royal apart from its contemporaries when it comes to methodology. For one thing, the group does not operate as a ransomware-as-a-service provider — Royal operates independently and on its own behalf. Secondly, there is no attempt at the group’s Windows or Linux ransomware variants code obfuscation or other anti-analysis methods.

Once the exfiltrated data is in Royal’s hands and the target system is encrypted, the victim finds a text file ransom note. No ransom amount is yet stated at this time, however.

“In observed incidents, Royal actors do not include ransom amounts and payment instructions as part of the initial ransom note,” CISA and the FBI said in a recent advisory. “Instead, the note, which appears after encryption, requires victims to directly interact with the threat actor via a .onion URL.” .onion sites are dark web sites that are difficult for authorities to track and disrupt.

Affiliation

While the Conti group that came before possibly had strong ties with Russian authorities and was a vocal supporter of the illegal invasion of Ukraine, it is possible that while many of the Royal group are Russian speakers, they’re not necessarily pro-Russian.

Conti disbanded soon after Russia invaded Ukraine in 2022, when an individual within the group — unhappy at supporting Putin and the invasion — leaked tens of thousands of chat logs. Some of the logs make reference to an address of a group that could have been helpful to Conti, an address that happened to align with that of the local FSB office in Saint Petersburg.

“We suspect Royal is comprised of ex-members of Conti, which primarily operated out of Russia, except for a member known as Paul, who is believed to be a Russian citizen living in Australia," Sean Duca, Vice President, Regional Chief Security Officer - Asia Pacific & Japan at Palo Alto Networks, told us. "Conti dissolved in 2022 after one of the members leaked internal communications regarding disagreements over support of the Russian invasion of Ukraine. This heightened existing tensions and, ultimately, the group’s dissolution. However, like a band breaking up, the members continued to ply their trade separately, in this instance forming a new group named Zeon, which subsequently rebranded as Royal in 2022. These members are experienced, having been involved in the development of Ryuk (discovered in 2018), which served as a predecessor to Conti.”

As to whether or not Royal can be trusted when it comes to restoring data, Duca believes that is beside the point.

“Royal’s reputation is that the group does/does not restore encrypted data once the target organisation pays up, however, the perceived ‘trustworthiness’ of a group should not determine whether a company pays a ransom. Ultimately, the organisation's risk appetite and its efforts to safeguard the data of both past and present customers should be the deciding factor.”

For now, Royal’s operations seem entirely financially motivated.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.