S1073 Royal
Royal is ransomware that first appeared in early 2022; a version that also targets ESXi servers was later observed in February 2023. Royal employs partial encryption and multiple threads to evade detection and speed encryption. Royal has been used in attacks against multiple industries worldwide–including critical infrastructure. Security researchers have identified similarities in the encryption routines and TTPs used in Royal and Conti attacks and noted a possible connection between their operators.52341
| Item | Value |
|---|---|
| ID | S1073 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 30 March 2023 |
| Last Modified | 17 April 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1486 | Data Encrypted for Impact | Royal uses a multi-threaded encryption process that can partially encrypt targeted files with the OpenSSL library and the AES256 algorithm.234 |
| enterprise | T1083 | File and Directory Discovery | Royal can identify specific files and directories to exclude from the encryption process.234 |
| enterprise | T1490 | Inhibit System Recovery | Royal can delete shadow copy backups with vssadmin.exe using the command delete shadows /all /quiet.231 |
| enterprise | T1106 | Native API | Royal can use multiple APIs for discovery, communication, and execution.2 |
| enterprise | T1046 | Network Service Discovery | Royal can scan the network interfaces of targeted systems.2 |
| enterprise | T1135 | Network Share Discovery | Royal can enumerate the shared resources of a given IP addresses using the API call NetShareEnum.2 |
| enterprise | T1095 | Non-Application Layer Protocol | Royal establishes a TCP socket for C2 communication using the API WSASocketW.2 |
| enterprise | T1566 | Phishing | Royal has been spread through the use of phishing campaigns including “call back phishing” where victims are lured into calling a number provided through email.231 |
| enterprise | T1057 | Process Discovery | Royal can use GetCurrentProcess to enumerate processes.2 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.002 | SMB/Windows Admin Shares | Royal can use SMB to connect to move laterally.2 |
| enterprise | T1489 | Service Stop | Royal can use RmShutDown to kill applications and services using the resources that are targeted for encryption.2 |
| enterprise | T1082 | System Information Discovery | Royal can use GetNativeSystemInfo and GetLogicalDrives to enumerate system processors and logical drives.24 |
| enterprise | T1016 | System Network Configuration Discovery | Royal can enumerate IP addresses using GetIpAddrTable.2 |
References
-
CISA. (2023, March 2). #StopRansomware: Royal Ransomware. Retrieved March 31, 2023. ↩↩↩
-
Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Iacono, L. and Green, S. (2023, February 13). Royal Ransomware Deep Dive. Retrieved March 30, 2023. ↩↩↩↩↩
-
Morales, N. et al. (2023, February 20). Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers. Retrieved March 30, 2023. ↩↩↩↩
-
MSTIC. (2022, November 17). DEV-0569 finds new ways to deliver Royal ransomware, various payloads. Retrieved March 30, 2023. ↩