FBI and CISA Issue Joint Security Advisory on Royal Ransomware Operations


November 22, 2023

World map

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issues a joint security advisory detailing the most recently observed Royal ransomware IOCs and TTPs.  

“Since September 2022, Royal has targeted over 350 known victims worldwide and ransomware demands have exceeded 275 million USD. Royal conducts data exfiltration and extortion prior to encryption and then publishes victim data to a leak site if a ransom is not paid,” the alert states (PDF).  

“After gaining access to victims’ networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems. Royal actors have made ransom demands ranging from approximately $1 million to $11 million USD in bitcoin.”

Takeaway: Royal is a RaaS that has been active since September 2022 but has quickly become one of the more concerning ransomware operations despite showing a slight reduction in activity in Q3 of 2023.  

Royal deletes shadow copies to thwart recovery by way of rollbacks and opts for partial encryption for larger files for speed and to evade detection. The Royal RaaS platform has expanded beyond targeting Windows installations to include attacks on systems running Linux and now targets VMWare ESXi servers.  

Assessments indicate Royal continues to invest heavily in development, expanding their operations and capabilities. The RaaS platform includes advanced security evasion and anti-analysis capabilities. The platform previously employed an encryptor from BlackCat/ALPHV but shifted to using a new encryption module dubbed Zeon.

Royal also employs a range of exploitation tactics including using Nsudo, PowerShell, PCHunter, Process Hacker, GMER, or PowerTool, and batch scripts to evade security tools.  

Royal has been observed compromising cloud services, abusing legitimate TLS certificates, deploying CobaltStrike, and leveraging QakBot prior to the botnet’s takedown. Royal has also been observed employing Goz and Vidar malware variants.

Royal tends to target critical infrastructure sectors including the Manufacturing, Communications, Healthcare, and Education sectors, with a focus on small to medium-sized organizations.

Royal ransom demands range between $1 million and $11 million dollars. The gang famously attacked the City of Dallas, disrupting emergency services and other critical operations, and ultimately costing the municipality upwards of $10 million dollars to recover from the attack.  

Other notable victims include City of Dallas, Unisco, Curry County, Clarke County Hospital, Penncrest School District, ZooTampa, Silverstone Formula One Circuit, Reventics LLC.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.