The Royal ransomware group, believed to be composed of ex-Conti gang members, has intensified its operations since its emergence last year. The group has primarily targeted critical infrastructure and healthcare organizations and has recently extended its reach to Linux and VMware ESXi environments.
Palo Alto Networks’ Unit 42 division reported on May 9 that the Royal ransomware group has developed a variant of its encryptor malware in the form of an executable and linkable format (ELF) binary. This new variant resembles the Windows version, with researchers noting that the sample contains no obfuscation and all strings, including the RSA public key and the ransom note, are stored as plaintext.
Significance of Linux and VMware ESXi Targets:
Linux is widely used as the backbone of numerous networks, IoT devices, and mission-critical applications, making it a valuable target for threat actors aiming to disrupt critical operations. VMware’s ESXi platform has also become an attractive target for ransomware attackers, as a compromise of a single ESXi hypervisor could potentially grant access to all the virtual machines it controls.
The Royal Connection to Conti:
Researchers believe that the Royal ransomware group is mainly composed of former Conti ransomware group members, specifically those known as “Team One”. The Conti group, which was responsible for the Ryuk ransomware, disbanded in May last year following increased law enforcement and media attention. Ex-members have regrouped under new aliases, and their experience in ransomware development has contributed to the success of the Royal ransomware group.
Recent Attacks and Changes in Tactics:
Unit 42 incident responders have been involved in 15 cases related to Royal ransomware in the past nine months, with demands reaching up to $25 million in Bitcoin. The group has targeted 14 manufacturing organizations in 2022 and an additional 26 in 2023. Furthermore, they have attacked 14 educational institutions and eight healthcare organizations. Recently, the group claimed responsibility for an attack on the City of Dallas that disrupted government systems, including the Dallas Police Department website.
Unit 42 researchers also noted that the Royal ransomware group has started using the BatLoader first-stage malware dropper, typically spread through search engine optimization (SEO) poisoning. While the Royal group has not adopted the ransomware-as-a-service (RaaS) model like Conti, the use of BatLoader suggests possible partnerships to gain initial access to targeted organizations.
Defending Against the Royal Ransomware Threat:
As the Royal ransomware group becomes more active and targets critical infrastructure organizations more aggressively, businesses need to implement security best practices to protect themselves against ransomware threats. Unit 42 recommends the deployment of advanced logging capabilities, such as Sysmon, Windows command-line logging, and PowerShell logging, as well as using security information and event management (SIEM) tools to create queries and detection opportunities. Additionally, keeping systems patched and up to date and employing an extended/endpoint detection and response (XDR/EDR) solution are crucial steps to reduce the attack surface and detect process injection techniques.
The Royal ransomware group, composed of former Conti gang members, poses a significant threat to critical infrastructure organizations, particularly as it expands its focus to Linux and VMware ESXi environments. As this group evolves and changes tactics, organizations must remain vigilant and prioritize implementing robust security measures to protect their digital assets. By staying up to date on the latest cybersecurity developments, deploying advanced logging capabilities, and utilizing endpoint detection and response solutions, businesses can minimize the risk associated with the ever-growing threat of ransomware attacks. In the face of adversaries like the Royal ransomware group, a proactive and comprehensive approach to cybersecurity is more important than ever.