CISA Alert AA23-061A – #StopRansomware: Royal ransomware.

This is a CISA Cybersecurity Alert. ID number Alpha Alpha Two Three tack Zero Six One Alpha.

​Original release date: March 2nd, 2023.

CISA and FBI are releasing this joint advisory to disseminate known Royal ransomware IOCs and TTPs identified through recent FBI threat response activities.

Since approximately September 2022, cyber criminals have compromised U.S. and international organizations with a Royal ransomware variant. FBI and CISA believe this variant, which uses its own custom-made file encryption program, evolved from earlier iterations that used “Zeon” as a loader.

After gaining access to victims’ networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems. Royal actors have made ransom demands ranging from approximately $1 million to $11 million in Bitcoin. 

In observed incidents, Royal actors do not include ransom amounts and payment instructions as part of the initial ransom note. Instead, the note, which appears after encryption, requires victims to directly interact with the threat actor via a dot onion URL. Royal actors have targeted numerous critical infrastructure sectors including Manufacturing, Communications, Healthcare and Public Healthcare, and Education.

FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this alert to reduce the likelihood and impact of ransomware incidents. The alert documentation linked in the show notes includes additional technical details, IOCs, malicious actor TTPs, recovery guidance, mitigations, and response recommendations. Recorded Future, Coveware, Digital Asset Redemption, Q6, and RedSense contributed to this advisory.

To report incidents and anomalous activity or to request incident response resources or technical assistance, contact CISA at report@cisa.gov, call (888) 282-0870, or report incidents to your local FBI field office.

This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the CyberWire as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations. A link to this report can be found in the show notes.

This has been a CISA Cybersecurity Alert.