Written by Doel Santos, Daniel Bunce, and Anthony Galiette
Unit 42 has published a blog post detailing the Royal ransomware group, which has been recently involved in high-profile attacks leveraging multi-extortion tactics against critical infrastructure including healthcare and manufacturing. Unlike other major ransomware groups (e.g., LockBit 3.0) that operate on a RaaS model by hiring affiliates to promote their services, this group operates behind closed doors – and comprises former members of the notorious Conti ransomware group.
It is important to note that Royal ransomware extends beyond financial losses to small businesses and corporations. Since 2022, Unit 42 has observed this group impacting local government entities in the US and Europe, most recently the group attacked the city of Dallas. In the last 9 months, Unit 42 incident responders have responded to over a dozen cases involving Royal ransomware.
Below are some additional facts about the group from Unit 42’s findings:
- Since 2022, Royal ransomware has claimed responsibility for impacting 157 organizations on their leak site.
- They have impacted 14 organizations in the education sector, including school districts and universities. In the first few days of May 2023, the group has already impacted four educational institutions.
Royal ransomware has been involved in high-profile attacks against critical infrastructure, especially healthcare, since it was first observed in September 2022. Bucking the popular trend of hiring affiliates to promote their threat as a service, Royal ransomware operates as a private group made up of former members of Conti.
The Unit 42 team has observed this group compromising victims through a BATLOADER infection, which threat actors usually spread through search engine optimization (SEO) poisoning. This infection involves dropping a Cobalt Strike Beacon as a precursor to the ransomware execution. Unit 42 incident responders have participated in 15 cases involving Royal ransomware in the last 9 months.
Royal ransomware also expanded its arsenal by developing an ELF variant to impact Linux and ESXi environments. The ELF variant is quite similar to the Windows variant, and the sample does not contain any obfuscation. All strings, including the RSA public key and the ransom note, are stored as plain text.