Insights, news, education and announcements from PolySwarm

Royal Ransomware

Written by PolySwarm Tech Team | Dec 1, 2022 6:22:05 PM



Executive Summary

Microsoft recently reported on Royal ransomware, a ransomware family used by the threat actor DEV-0569

Key Takeaways

  • Royal ransomware is a 64-bit executable written in C++ that targets Windows systems.
  • Royal is used by multiple threat actors, including DEV-0569.
  • DEV-0569 is a financially motivated threat actor that uses malvertising, phishing, and malicious downloaders to spread malware.

What is Royal?

Royal ransomware is a ransomware family used by the threat actor group DEV-0569. Royal was first seen in the wild in early 2022 and is in use by multiple threat actor groups. It is a 64-bit executable written in C++ that targets Windows systems. Royal uses the OpenSSL library to encrypt files to AES standard. It appends the .royal extension to encrypted files. DEV-0569 delivers Royal using human-operated ransomware attacks. The threat actors gain access to compromised networks using BATLOADER to deliver a Cobalt Strike Beacon.

Who is DEV-0569?

At present, the identity and location of DEV-0569 threat actors have not been determined by industry researchers. We know they are a financially motivated threat actor group that likely serves as an initial access broker for other threat actors. DEV-0569 attacks typically begin with malicious ads, forum posts, blog comments, or phishing emails that deliver malicious links. The links lead to malicious files signed by the threat actor using legitimate certificates. DEV-0569 uses malvertising, phishing links, and malicious downloaders masquerading as installers or updates to spread malware. The group has also been observed using VHD files that impersonate legitimate software to facilitate the delivery of first-stage payloads.

Microsoft noted the group has begun using contact forms on a target organization’s websites to deliver phishing links, hosting fake installer files on sites that seem legitimate download sites, and expanding their malvertising technique by using Google Ads to blend in with regular ad traffic. These tactics give DEV-0569 the capability to reach more targets with the intended payloads. Dev-0569 is known to employ defensive evasion techniques and uses Nsudo to disable antivirus. The group typically uses the services of other malicious actors that deliver malware payloads as a service.

IOCs

PolySwarm has multiple samples of Royal.

F484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429

9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926

You can use the following CLI command to search for all Royal samples in our portal:

$ polyswarm link list -f Royal


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports
View full post