Skip to main content

Royal Ransomware Targeting Critical Infrastructure

Advisory

Advisory
09 Mar 2023

 

Background

Organizations in critical infrastructure sectors including communications, education, public healthcare, and manufacturing are facing increasing threat by attacks involving Royal ransomware.

Cyber criminals rely on phishing, remote desktop protocol (RDP), exploitation of vulnerabilities in public-facing applications, and initial access brokers to gain access to targeted networks. After breaching the network, they will disable security protections such as antivirus software and exfiltrate large amounts of data before deploying the ransomware and encrypting the systems using its own custom-made file encryption program.

Royal ransomware operators do not include ransom amounts and payment instructions in their initial ransom note but instruct victims to contact them via a Tor website. Demands range from USD$1 million to USD$11 million in Bitcoin, depending on the targeted organization’s size and level of sensitivity of the stolen data.

 

Impact

  • Data and financial loss
  • Disruption of business operations and damage to the company's reputation
  • Compromised security.
  • Legal and regulatory issues, depending on the nature of the data that is encrypted.

 

Affected Systems

  • Windows and Linux environment

 

Mitigation

If you suspect that your system has been infected with Royal Ransomware, here are some measures to follow:

  • As soon as you notice any suspicious activity, disconnect your computer from the network to prevent further encryption or damage to your data and files.
  • It is strongly advised not to pay the ransom, as there is no guarantee that the attackers will provide the decryption key even after receiving the payment. Moreover, it may encourage them to continue their malicious activities.
  • Stay vigilant and keep monitoring your network for any other suspicious activities.

 

Recommendations

  • Regularly update your operating system and other software programs to ensure that vulnerabilities are
  • patched.
  • Install a reliable antivirus software and regularly update it, to detect and remove any malware infections on your computer.
  • Do not open emails or attachments from unknown or suspicious sources. Be particularly cautious of emails that appear to be from trusted sources but contain suspicious links or attachments.
  • Use strong, unique passwords for all your accounts, and avoid reusing the same password across multiple accounts.
  • Implement multifactor authentications for all services, if possible, especially for email, virtual private networks, and accounts that access critical systems.
  • Keep multiple and separate backups of data. Regularly back up your important files to an external hard drive or cloud storage service. This will ensure that you have a copy of your data in case of a ransomware attack.
  • Avoid downloading software from untrusted sources.
  • Enable your computer's firewall to help protect against unauthorized access to the system.
  • Deploy network monitoring tools to help identify abnormal activities in the network, audit user accounts and disable unused ports and services.

 

References

https://www.securityweek.com/organizations-warned-of-royal-ransomware-attacks/
https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive