You are here

Joint Cybersecurity Advisory – #StopRansomware: Royal Ransomware (Updated November 14, 2023)

Joint Cybersecurity Advisory – #StopRansomware: Royal Ransomware (Updated November 14, 2023)

Created: Tuesday, November 14, 2023 - 15:14
Categories:
Cybersecurity

November 14, 2023

The FBI and CISA recently published an update to the joint Cybersecurity Advisory “#StopRansomware: Royal Ransomware.” The updated advisory provides network defenders with additional information on tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Royal ransomware variants. FBI investigations identified these TTPs and IOCs as recently as June 2023.

Since September 2022, Royal has targeted over 350 known victims worldwide and ransomware demands have exceeded $275 million. Royal conducts data exfiltration and extortion prior to encryption and then publishes victim data to a leak site if a ransom is not paid. Phishing emails are among the most successful vectors for initial access by Royal threat actors. There are indications Royal may be preparing for a re-branding effort and/or a spinoff variant. Blacksuit ransomware shares a number of identified coding characteristics similar to Royal. A previous joint CSA for Royal ransomware was published on March 2, 2023.

CISA and the FBI encourage network defenders to review the CSA and apply the included mitigations. See StopRansomware.gov for additional guidance on ransomware protection, detection, and response. To report suspicious or criminal activity related to information found in advisory, contact your local FBI field office, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937, or by e-mail at [email protected]. If you have any further questions, or to request incident response resources or technical assistance related to these threats, contact CISA at [email protected]Access the full advisory at CISA.

March 2, 2023

Today, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) #StopRansomware: Royal Ransomware to provide network defenders tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Royal ransomware variants. FBI investigations identified these TTPs and IOCs as recently as January 2023.

Since approximately September 2022, cyber criminals have compromised U.S. and international organizations with a Royal ransomware variant. The reporting agencies believe this variant, which uses its own custom-made file encryption program, evolved from earlier iterations that used “Zeon” as a loader. After gaining access to victims’ networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems. In observed incidents, Royal actors do not include ransom amounts and payment instructions as part of the initial ransom note. Instead, the note, which appears after encryption, requires victims to directly interact with the threat actor via a .onion URL (reachable through the Tor browser). Royal actors have targeted numerous critical infrastructure sectors including, but not limited to, Manufacturing, Communications, Healthcare and Public Healthcare (HPH), and Education.

CISA and the FBI encourage network defenders to review the CSA and apply the included mitigations. See StopRansomware.gov for additional guidance on ransomware protection, detection, and response. To report suspicious or criminal activity related to information found in advisory, contact your local FBI field office, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937, or by e-mail at [email protected]. If you have any further questions, or to request incident response resources or technical assistance related to these threats, contact CISA at [email protected]Access the full advisory at CISA.