Royal Ransomware

Phishing: The most prevalent initial access vector. This includes malicious attachments (often PDFs) and links to malicious websites (malvertising) embedded in emails. To prevent this, consider implementing email authentication.

Remote Desktop Protocol (RDP) Compromise: The second most common vector, accounting for a significant portion of incidents (around 13.3%). This often involves brute-forcing or using stolen RDP credentials.

Public-Facing Application Exploitation: Exploiting vulnerabilities in internet-facing applications.

Initial Access Brokers: BlackSuit actors may leverage initial access brokers to gain initial access. Source traffic has been seen by harvesting VPN credentials from stealer logs. A VPN kill switch can mitigate this risk.

After gaining access, BlackSuit actors communicate with C2 infrastructure to download additional tools.

Legitimate Windows software is repurposed (e.g., for lateral movement), and open-source projects are used.

Historically, Royal actors have leveraged Chisel, SSH clients (PuTTY, OpenSSH), and MobaXterm to communicate with C2.

Lateral Movement: BlackSuit actors, like Royal actors before them, utilize RDP, PsExec and SMB for lateral movement within the compromised network.

Persistence: BlackSuit actors use legitimate remote monitoring and management (RMM) software for maintaining persistence. What are RMM tools?

Additional Malware: Use SystemBC and Gootloader to load addition tools and maintain persistence.

Network Enumeration: BlackSuit actors use tools like SharpShares and SoftPerfect NetWorx for network discovery.

Credential Access: Tools like Mimikatz and password harvesting tools from Nirsoft are often found on compromised systems.

Process Killing: PowerTool and GMER are used to kill system processes.

Exfiltration Tools: Legitimate penetration testing tools (e.g., Cobalt Strike) and malware derivatives (e.g., Ursnif/Gozi) are used for aggregating and exfiltrating data. A SIEM can detect this unusual activity.

Hop Point: First hop in exfiltration is usually a U.S. IP address.

Additional Tools BlackSuit actors have used RClone and Brute Ratel for exfiltration. Consider understanding the IOC.

Partial Encryption: BlackSuit utilizes a unique partial encryption approach for speed and evasion. It can encrypt a specific percentage of a file, making detection more challenging.

Windows Restart Manager: Uses the Windows Restart Manager to check if files are in use, similar to Conti, Babuk, and LockBit.

Shadow Copy Deletion: Deletes shadow copies using vssadmin.exe to prevent easy recovery.

Batch Scripts: Uses batch files to create new administrator users, force group policy updates, set registry keys for auto-extraction, execute the ransomware, monitor the encryption process, and delete event logs.

File Extensions: Encrypted files receive a specific extension (e.g., .royal for older Royal infections, and a specific extension for BlackSuit – check the latest IOCs).

Malicious File Locations: Malicious files are found in C:\Temp\, C:\Users\<user>\AppData\Roaming\, C:\ProgramData\, and C:\.

User Training: Implement comprehensive security awareness training to educate users about phishing techniques, including identifying malicious emails, attachments, and links.

Email Security Gateways: Deploy robust email security gateways with advanced threat detection capabilities, including sandboxing and URL filtering.

Email Authentication: Implement SPF, DKIM, and DMARC to prevent email spoofing. What is SPF?

Disable RDP if Not Needed: If RDP is not essential, disable it entirely.

Strong Passwords and MFA: Enforce strong, unique passwords for all RDP accounts and mandate multi-factor authentication (MFA), preferably phishing-resistant MFA.

Network Level Authentication (NLA): Enable NLA to require authentication before an RDP session is established.

Account Lockout Policies: Implement strict account lockout policies to prevent brute-force attacks.

Restrict Access: Limit RDP access to specific IP addresses or networks using firewall rules.

Regular Scanning: Conduct regular vulnerability scans to identify and prioritize vulnerabilities, especially in public-facing applications.

Patching: Implement a robust patch management process, prioritizing the patching of known exploited vulnerabilities (KEVs).

Isolate Critical Systems: Segment the network to limit the lateral movement of attackers. Isolate critical systems and data from less critical parts of the network.

Deploy EDR: Deploy an EDR solution on all endpoints to monitor for malicious activity, including ransomware behavior.

Behavioral Analysis: Configure EDR to detect and block anomalous behavior, such as unusual file encryption activity or attempts to delete shadow copies.

Principle of Least Privilege: Enforce the principle of least privilege, granting users only the minimum necessary access rights.

Account Auditing: Regularly audit Active Directory accounts for new or unrecognized accounts and excessive privileges.

Regular Backups: Implement a robust backup and recovery plan, including regular backups of critical data.

Offline Backups: Store backups offline and offsite, preferably encrypted and immutable, to protect them from ransomware attacks.

Test Backups: Regularly test the backup and recovery process to ensure its effectiveness.

Develop and Test: Develop and regularly test an incident response plan specifically for ransomware attacks. Why do you need a CIRP?

Containment and Eradication: The plan should include procedures for containing the spread of ransomware, eradicating the malware, and recovering data.

Disable by Default: Disable macros by default for Microsoft Office applications, permitting them only for trusted sources.

Restrict the use of command-line interfaces and scripting languages to authorized users and specific use cases.

Implement time-based or just-in-time (JIT) access to resources, especially for privileged accounts.