Fraud Management & Cybercrime , Ransomware

Royal Ransomware Group Builds Its Own Malware Loader

Malware Designed to Load Crypto-Lockers Remains Key Tool for Ransomware Groups
Royal Ransomware Group Builds Its Own Malware Loader
Photo: JD Hancock via Flickr/CC

Russian-speaking ransomware groups that emerged from the dissolution of the notorious Conti group appear to draw inspiration from each other and maintain close collaboration among themselves.

See Also: The Cost of Underpreparedness to Your Business

In particular, the Royal ransomware group, which spun off from Conti in early 2022, is refining its downloader malware using tactics and techniques that appear to draw directly from other post-Conti groups, says Yelisey Bohuslavskiy, chief research officer at threat intelligence firm Red Sense.

Downloaders are designed to infect an endpoint and install additional malicious functionality on demand. Conti-wielding attackers, researchers found, remained keen users of many different types of downloaders, including Emotet, IcedID and QBot.

Lately, Royal has been building its own loader. Bohuslavskiy says notable characteristics of the malware are its small size - less than 250KB - and singular purpose, which is to deploy Cobalt Strike and create an immediate connection to a Royal command-and-control server, which Royal's chief developer has claimed in online chats is a design feature.

"Notably, the loader does not embed a cryptor module or function, a feature the chief coder said gives end users the flexibility to incorporate their preferred cryptors, Bohuslavskiy said in a LinkedIn post.

Post-Conti Group

Royal emerged in early 2022 as one of a number of post-Conti spinoffs, including Alphv/BlackCat, AvosLocker, Black Basta, HelloKitty, Quantum, Roy/Zeon and Silent Ransom.

Royal initially employed ransomware built by other groups. Since last September, it began wielding its own strain of crypto-locking malware, which appends .royal to encrypted filenames.

Bohuslavskiy said Royal's attacks are perpetrated by small teams - four or five people operating in a very "hierarchical and corporate" manner - with the organization counting "between 50 and 60 people" as active participants, although the overall structure is complicated. He perceives at least two centers of power, in the form of the former Conti Team 2 that became the Quantum group and serves as an administrative division, as well as a separate technical division. Each division's remit overlaps heavily.

Attacks are conducted both by the Ransom group as well as by sharing the locker with trusted individuals "based on previously established personal connections - ex-Conti, REvil and ex-Hive" - who borrow the Royal locker, Bohuslavskiy told Information Security Media Group. Royal-wielding attackers also work with many other services, such as Emotet and IcedId/Anubis, as well as other individuals in the post-Conti orbit.

Royal-wielding attackers gain initial access to a victim, including through spam and phishing campaigns, working with initial access brokers, exploiting known vulnerabilities and accessing poorly secured remote desktop protocol connections.

The group has hit a variety of sectors with abandon, including critical infrastructure sectors such as healthcare, education and manufacturing, the FBI and the Cybersecurity and Infrastructure Security Agency warned in a March advisory.

"Royal actors exfiltrate data from victim networks by repurposing legitimate cyber pentesting tools, such as Cobalt Strike, and malware tools and derivatives, such as Ursnif/Gozi, for data aggregation and exfiltration," the agencies said. "After gaining access to victims' networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems."

Initial ransom demands often range from $1 million to $11 million, payable in bitcoin.

Social Engineering Campaign

In March, Red Sense reported that more than 1,000 organizations appeared to have been targeted by a social-engineering scheme concocted by Royal. The campaign emailed organizations claiming they'd fallen victim to the Midnight ransomware group and sent them a file purportedly containing a list of what had been stolen, the researchers said.

In reality, the file was a version of the Royal malware loader, designed to give attackers entree into the victim's network, allowing them to exfiltrate data and crypto-lock systems (see: Fake Data Theft Proof Leads to Royal Ransomware Outbreak).

Royal borrows heavily from strategies proven to work. Like Qbot - aka Qakbot - Royal's loader is designed to evade antivirus "by leveraging a high-trust DLL without obfuscation," as well as to exploit a Microsoft Windows print spooler vulnerability tracked as CVE-2022-41073 to escalate privilege after gaining initial access - while also incorporating "key functionality" from Anubis, a version of IcedID that was further weaponized by Conti, Bohuslavskiy said.

The use of a trusted DLL recalls Qbot last year exploiting various privilege escalation flaws, including in the Windows 7 calculator and later the Windows 10 Control Panel, to load and execute a malicious DLL file containing its downloader, as Bleeping Computer reported.

One repeat user of Qbot is another Conti-spinoff ransomware group, Black Basta, which has been infecting systems with the downloader and using it to install Cobalt Strike as well as the similar Brute Ratel tool.

Bohuslavskiy said it's not clear if Black Basta is now the sole user or owner or Qbot - criminal chatter suggests the Clop group may also be using it - but access appears to have become restricted, which has likely driven groups such as Royal to develop their own loaders.

As that highlights, many ransomware groups' playbooks include proven attack strategies that have been paying illegal dividends for years, even if the names of the groups themselves - or their tools - continue to change.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.