External reports mention that one of the arrival methods of Royal Ransomware is via the Callback Phishing scam where victims are tricked into installing remote desktop software. This method is similar to the techniques used by the Conti group.
|Command and Control
T1566 - Phishing
T1059 - Command and Scripting Interpreter
T1562.001 - Impair Defenses: Disable or Modify Tools
T1112 - Modify Registry
T1069 - Permission Groups Discovery: Domain groups
T1018 - Remote System Discovery
T1567 - Exfiltration Over Web Service
T1570 - Lateral Tool Transfer
T1095 - Non-Application Layer Protocol
T1490 - Inhibit System Recovery
T1486 - Data Encrypted for Impact
Security teams should take note of and observe the presence of the following malware and tools typically used in Royal ransomware attacks:
Backed by threat actors from Conti, Royal ransomware is poised to wreak havoc in the threat landscape after it became one of the most prolific ransomware groups within the three months since it was first reported. Combining new and old techniques and quick to evolve, Royal poses a high-stakes threat to enterprises. Organizations are recommended to stay vigilant against such threats.
To protect systems against Royal ransomware and other similar threats, organizations can implement security frameworks that allocate resources systematically to establish a strong defense strategy.
Here are some best practices that organizations can adopt to defend against Royal ransomware:
A multilayered approach can help organizations guard possible entry points into their system (endpoint, email, web, and network). Security solutions can detect malicious components and suspicious behavior, which can in turn help protect enterprises.
Trend Vision One customers can use the following hunting query to check if their network/system is possibly affected by Royal ransomware:
(processCmd:"?:*\\psexec.exe" AND objectFilePath:"*.exe*-id *") OR fullPath:"*.royal_?"
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.