Conti associated with Royal ransomware.
N2K logoDec 23, 2022

Conti, or at least its alumni, may be coming out of occultation.

Conti associated with Royal ransomware.

Researchers at Trend Micro have published a report on the relatively new Royal ransomware. Royal attacks are being launched by a sophisticated gang that used to operate the now (apparently) defunct Conti ransomware.

Callback phishing used to deliver ransomware.

Royal ransomware first surfaced in September 2022, and the vast majority of its attacks have targeted entities in the US and Brazil. The threat actor uses “callback phishing,” a social engineering technique in which the attacker poses as technical support and instructs the victim over the phone to install remote desktop software. The threat actors also exfiltrate data before executing the ransomware:

“Our investigation found that the ransomware actors used a compiled remote desktop malware, which was used to drop the tools they needed to infiltrate the victim’s system: they used QakBot and Cobalt Strike for lateral movement, while NetScan was used to look for any remote systems connected to the network. Once they infiltrated the system, the ransomware actors used tools such as PCHunter, PowerTool, GMER, and Process Hacker to disable any security-related services running in the system. They then exfiltrate the victim’s data via the RClone tool. We also observed an instance in which they used AdFind to look for active directories, then executed RDPEnable on the infected machine.”

Trend Micro predicts that the Royal ransomware operators will increase their activity in the coming months.