Reconstructing the last activities of Royal Ransomware 

Introduction

Royal Ransomware is a new group first spotted on Bleeping Computer last September, where the cybersecurity news site revealed a connection with another malware known as Zeon.  

At the moment, we don’t have much information about the group and all its actual TTPs, but we know that they use the Double Extortion model to threaten the victims, as stated inside the ransom note. 

About Royal Ransomware Group 

The Cyber intelligence community has proof that the group started its malicious activities since January, with other ransomware payloads. So, we can say they started their malicious career as affiliated with other Ransomware-as-a-Service providers. But it only the last two months, it started to apply the Double Extorsion model, with an ad-hoc website in the Dark Web. 

During its existence, it seems that the ransomware group didn’t adopt the Ransomware-as-a-Service model to recruit other affiliates to infect victims. The reason might be that the core team wants initially to create a malicious “brand positioning” inside the threat landscape. 

At the same time, we don’t know which toolkit is used to implement the exfiltration capability. We don’t know if the group uses some custom malware, or if it leverages public storage platforms, such as Mega, Dropbox, etc. 

Technical Analysis

We managed to obtain a recent specimen of this threat and analyzed its features and malicious capabilities, in order to create signatures and provide technical insight to better detection. 

Tha analyzed sample has the following static information: 

Royal Ransomware is written in C/C++ and it is launched by command line. That behavior suggests that there is a previous and totally human-operated intrusion performed by a pen-testing team, which gained access to the internal network and performed privilege escalation and lateral movement operation. 

When the executable is launched, it needs three parameters, otherwise the infection doesn't start: 

We constructed a table with the three parameters found inside the sample and we provide a small description of that:  

After that, the sample starts the preparation of the ransomware operation by deleting the shadow copies: 

Then, the malware starts the preparation for the encryption processes, by creating the lists of the elements to be excluded during the fetching of files and folders. For the files’ extensions, the exclusions are: 

.exe,.dll,.bat,.lnk,.royal, 

Instead, for the folders exclusion there are the following:  

windows, royal, $recycle.bin, google, perflogs, mozilla, tor browser, boot, $windows.~ws, $windows.~bt, windows.old 

Royal Ransomware has also the capability to infect and encrypt the shared resources inside the internal network. It uses the NetShareEnum seeking the “ADMIN$” and “IPC$” records and then, it proceeds to encrypt the files contained inside the shared folders

At this point, we have the encryption phase. Royal Group uses a mixture of RSA and AES algorithms. The RSA public Key is hardcoded in the sample, and it is easy to retrieve that: 

In the following scheme, we highlight the encryption routine and the result of the encryption of a test file: 

The encryption routine is assisted by the OpenSSL library. An AES key is randomly generated and then it is protected with the RSA public key. In this way, the ransomware operator the encryption conserves the RSA private key to decrypt the original AES key and then the files could be restored. 

Conclusion

The market of cyber extorsion is still growing and other threat actors are riding the wave of the most infamous 2022 trend. The case Royal Ransomware Group is representative because it started by adopting the affiliation on the RaaS market, and when they reached an appropriate expertise and experience, it created an independent group with a “proprietary” ransomware payload. 

As stated, at the moment we have no proof they adopt the Ransomware-as-a-Service model, but the group is formed only by talented pen-testers and malware developers aimed at making money through the Double Extorsion model. However, this doesn't mean that in the near future the group will reach such a maturity that they will be capable of implementing the RaaS model. 

Indicators of Compromise

• 9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926 
• c24c59c8f4e7a581a5d45ee181151ec0a3f0b59af987eacf9b363577087c9746 
• 5fda381a9884f7be2d57b8a290f389578a9d2f63e2ecb98bd773248a7eb99fa2 
• 312f34ee8c7b2199a3e78b4a52bd87700cc8f3aa01aa641e5d899501cb720775 
• 491c2b32095174b9de2fd799732a6f84878c2e23b9bb560cd3155cbdc65e2b80 
• 2598e8adb87976abe48f0eba4bbb9a7cb69439e0c133b21aee3845dfccf3fb8f 
• f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429 
• 7cbfea0bff4b373a175327d6cc395f6c176dab1cedf9075e7130508bec4d5393 

Yara Rules

rule royal_ransomware {

meta:
   author = "Yoroi Malware ZLab"
   description = "Rule for Royal Ransomware"
   last_updated = "2022-11-09"
   tlp = "WHITE"
   category = "informational"

strings:
   // x32
   $1 = {8d 84 ?? ?? ?? ?? ?? 50 ff 15 ?? ?? ?? ?? 83 f8 20 74 ?? 6a 00 ff 15 ?? ?? ?? ??}
   $2 = {68 ?? ?? ?? ?? ff 30 89 44 ?4 20 ff 15 ?? ?? ?? ?? 85 c0 75 ?? 8b 44 ?4 10 46 8b 0c b0 89 4c ?4 1c e9 ?? ?? ?? ?? 8b 44 ?4 18 68 ?? ?? ?? ?? ff 30 ff 15 ?? ?? ?? ??}
   // x64
   $3 = {4? 8d ?? ?? ?? ?? ?? ff 15 ?? ?? ?? ?? 83 f8 20 74 ?? 33 c9 ff 15 ?? ?? ?? ??}
   $4 = { 4? 8d 15 ?? ?? ?? ?? ff 15 ?? ?? ?? ?? 85 c0 75 ?? 4? 8b 7b 08 ff c6 4? 83 c3 08 e9 ?? ?? ?? ?? 4? 8b 0b 4? 8d 15 ?? ?? ?? ?? ff 15 ?? ?? ?? ??}

condition:
    (($1 and $2) or ($3 and $4)) and uint16(0) == 0x5A4D
}

This blog post was authored by Luigi Martire, Carmelo Ragusa of Yoroi Malware ZLAB