Royal Ransomware’s Evolving Threat Vectors

22nd November 2022 | Blog

Royal Ransomware Evolving Attack Vectors

CyberHoot has recently seen the impact of the Royal ransomware. An MSP had a client who refused security awareness training and someone fell for one of the many attack vectors seen in this evolving ransomware gang’s bag of dirty tricks. The MSP has spent 2 weekends recovering systems and data. They have also decided to require all clients to enroll in CyberHoot and are rolling out SentinelOne as a technical prevention measure. See the video showing how it stops Royal ransomware at the end of this blog article.

What makes Royal so dangerous?

Traditional Phishing Method

According to Microsoft, this, as yet unknown Ransomware gang, has recently emerged with some very effective new attack methods for spreading ransomware. They certainly employ the traditional phishing emails to deliver malware laden software to unsuspecting email recipients. When combined with administrator rights, the infection spreads immediately and without much to stop it. Would everyone please stop operating your desktop computers with admin rights, please?! But there’s nothing new here, so what else are they doing?

Building Trust via “Contact Us”

Another interesting attack vector is building trust with employees at your company by reaching out via your company website’s “Contact Us” form. Once they build enough rapport, they send a file to the unsuspecting user who opens it and executes the malware creating the Royal ransomware infection that spreads quickly encrypting all your files.

Using Fake Software Update Alerts

Most deviously, these hackers might send a fake software update alert with a link to download and install it. The principle here is an email that looks like it came from a vendor you use, and provides urgent and scary language to convince you to install the “software update” before hackers strike. This is quite clever and sneaky, but entirely predictable if you know what you’re looking for (scare tactics and a sense of urgency).

Using Google Adwords to serve up Malvertisement

Malvertisement is sometimes used by Royal ransomware to infect users who click on a google AdWord search result. This too tricks users into clicking on files pushed to them from compromised websites to spread Royal.

Exploiting Unpatched Networks

Microsoft reports witnessing this ransomware gang exploiting missing patches in a hands-on hacking approach to getting a toe-hold in your network. From there they escalate privileges and either install Royal themselves, or auction off their access to your network to the highest bidder seeking ransomware targets on dark web forums. Either way, your company ends up compromised.

Coupe De Grace: Using Multiple Attack Vectors Together

Finally, they may combine multiple methods shown above to breach your network with ransomware. They will combine the “Contact Us” approach with a phishing attack or bogus update email. Since many people add “Contact Us” email addresses to their contacts, subsequent emails from the same email account often remove the “untrusted” warning banner set up by IT departments. Then they will either send a blatant phishing email or the software update from that same email address, but obfuscate the sender. This is enough to get some people to click and spread this ransomware.

What are the Best Methods of Protection against Royal Ransomware?

CyberHoot would recommend two distinct approaches to protecting yourself from this variant of ransomware. First, we always want you to educate and test your employees on how to spot and avoid phishing attacks. Our novel assignment-based phish testing gives the most complete set of puzzle pieces or “identifiers” of a phishing email to your employees of any product on the market. When you have all 7 puzzle pieces, you can more easily spot these attacks, no matter their evolving methods.

Second, do not give your employees administrative access to their workstations. This one measure amplifies the damage done by an attack. Limit access to the least privilege necessary for each employee. If someone absolutely needs administrative access to do their job, give them a secondary admin account which should only be used when necessary.

Finally, CyberHoot would suggest a technical measure for when your employees forget their awareness training and phish testing and still fall victim to phishing. Deploying an advanced Endpoint Detection and Response (EDR) solution like SentinelOne or Crowdstrike can assist in some of these cases.

Other Measures of Protection

It goes without saying, but always ensure your data is backed up using a 3-2-1 Backup Methodology. Most cloud backup vendors have versioning which helps restore data quickly in a ransomware emergency. However, don’t believe that if you have a backup, you can be safe from ransomware attacks. Besides the downtime for restoring your systems and data, these hackers will threaten to release your critical and sensitive data online. For many companies this can be a devastating consequence that forces them to pay the ransom even though you have all your data backed up. Imagine private legal files, health records, or financial tax forms being published to the Internet. The reputational damage can be enormous from a breach of client data and trust.

Ransomware Hacker Gangs change Tactics

Conclusion

Ransomware continues to evolve and grow in popularity amongst hackers because it works and is quite lucrative. Verizon’s Data Breach Report from 2022 cited a 13% increase in ransomware attacks in 2021 (the last year studied). That increase represents the same increase as the previous 5 years (2016 – 2020) combined for ransomware attack growth. Ransomware is never going away, you either build your defenses up proactively, or start planning for a reactive recovery when you get hit. Also, most cyber-insurance is excluding ransomware payments these days. So you can’t rely on insurance to get out of a successful attack.