Feds warn about right Royal ransomware rampage that runs the gamut of TTPs

The US Cybersecurity and Infrastructure Security Agency (CISA), which dubs itself “America’s Cyber Defense Agency”, has just put out a public service annoucement under its #StopRansomware banner.

This report is numbered AA23-061a, and if you’ve slipped into the habit of assuming that ransomware is yesterday’s threat, or that other specific cyberattacks should be at the top of your list in 2023, then it is well worth reading.

The risks you introduce by taking your eyes off the ransomware threat in 2023 to focus on the next, old-is-new-again shiny topic (ChatGPT? Cryptojacking? Keylogging? Source code theft? 2FA fraud?) are similar to the risks you would have faced if you started focusing exclusively on ransomware a few years ago, when it was the hot new fear of the day.

Firstly, you’ll often find that when one cyberthreat seems to be decreasing, the real reason is that other threats are increasing in relative terms, rather than that the one you think you’ve seen the back of is dying out in absolute terms.

In fact, the apparently increase of cybercrime X that goes along with an apparent drop in Y might simply be that more and more crooks who previously tended to specialise in Y are now doing X as well as, rather than instead of, Y.

Secondly, even when one particular cybercrime shows an absolute decline in prevalence, you’ll almost always find that there’s still plenty of it about, and that the danger remains undiminished if you do get hit.

As we like to say on Naked Security, “Those who cannot remember the past are condemned to repeat it.”

The Royal gang

The AA23-061a advisory focuses on a ransomware family known as Royal, but the key takeaways from CISA’s plain-speaking advisory are as follows:

  • These crooks break in using tried-and-trusted methods. These include using phishing (2/3 of the attacks), searching out improperly-configured RDP servers (1/6 of them), looking for unpatched online services on your network, or simply by buying up access credentials from crooks who were in before them. Cybercriminals who sell credentials for a living, typically to data thieves and ransomware gangs, are known in the jargon as IABs, short for the self-descriptive term initial access brokers.
  • Once in, the criminals try to avoid programs that might obviously show up as malware. They either look for existing administration tools, or bring their own, knowing that it’s easier to avoid suspicion in if you dress, talk and act like a local – in jargon terms, if you live off the land. Legitimate tools abused by the attackers include utilities often used for official remote access, for running administrative commands remotely, and for typical sysadmin tasks. Examples include: PsExec from Microsoft Sysinternals; the AnyDesk remote access tool; and Microsoft PowerShell, which comes preinstalled on every Windows computer.
  • Before scrambling files, the attackers try to complicate your path to recovery. As you probably expect, they kill off volume shadow copies (live Windows “rollback” snapshots). They also add their own unofficial admin accounts so they can get back in if you kick them out, modify the settings of your security software to silence alarms, take control of files that they would otherwise not be able to scramble, and mess up your system logs to make it hard to figure out later what they changed.

To be clear, you need to build up your confidence in defending against all these TTPs (tools, techniques and procedures), whether or not any particular wave of attackers are aiming to blackmail you as part of their end-game.

Having said that, of course, this Royal gang are apparently very interested indeed in the technique identified by the US government’s MITRE ATT&CK framework by the unassuming tag T1486, which is labelled with the distressing name Data Encrypted for Impact.

Simply put, T1486 generally denotes attackers who plan to extort money out of you in return for unscambling your precious files, and who aim to squeeze you harder than ever by creating as much disruption as possible, and therefore giving themselves the biggest blackmail leverage they can.

Indeed, the AA23-061a bulletin warns that:

Royal [ransomware criminals] have made ransom demands ranging from approximately $1 million to $11 million USD in Bitcoin.

And, just to be clear, they typically steal (or, more precisely, take unauthorised copies of) as much of your data as they can before freezing up your files, for yet more extortion pressure:

After gaining access to victims’ networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems.

What to do?

Crooks like the Royal gang are known in the jargon as active adversaries, because they don’t just fire malware at you and see if it sticks.

They use pre-programmed tools and scripts wherever they can (the criminals love automation as much as anyone), but they give individual attention to each attack.

This makes them not only more adaptable (they’ll change their TTPs at a moment’s notice if they spot a better way to do worse things), but also more stealthy (they’ll adapt their TTPs in real time as they figure out your defensive playbook).

  • Learn more by reading our Active Aversary Playbook, a fascinating study of 144 real-life attacks by Sophos Field CTO John Shier.


go top