New Royal Ransomware emerges in multi-million dollar attacks, CallBack, Data Exfiltration, Exploit, Ransomware, Royal Group, Zeon

A new ransomware operation named Royal is quickly ramping up, targeting corporations with ransom demands ranging from $250,000 to over $2 million.

Royal, aka Royal Zeon, is a relatively new operation that launched in June 2022 and consists of a group of vetted and experienced ransomware actors from previous operations.

Unlike most active ransomware operations, Royal does not operate as a Ransomware-as-a-Service but is instead a private group without affiliates.

Vitali Kremez, CEO of AdvIntelAdvIntel, told BleepingComputer that they utilized other ransomware operation’s encryptors when first starting, such as LockBit and BlackCat.

Soon after, the cybercrime enterprise began using its own encryptors, the first being Zeon [Sample], which generated ransom notes very similar to Conti’s.

New Royal Ransomware emerges in multi-million dollar attacks, CallBack, Data Exfiltration, Exploit, Ransomware, Royal Group, Zeon

Zeon ransom note Source: BleepingComputer

However, since the middle of September 2022, the ransomware gang has switched to the ‘Royal’ alias and began using that name in ransom notes generated by a new encryptor.

How Royal breaches their victims

Since June, the Royal Zeon operation has been operating in the shadows, not using a data leak site and keeping news of their attacks quiet.

However, as the gang became more active this month, victims have appeared at BleepingComputer, and a sample was uploaded to VirusTotal.

In conversations with Kremez and a victim, BleepingComputer has created a better picture of how the gang operates.

According to Kremez, the Royal Zeon group utilizes targeted callback phishing attacks where they impersonate food delivery services or software providers in emails pretending to be fake subscription renewals.

These phishing emails contain phone numbers that the victim can contact to cancel the alleged subscription, but, in reality, it is a number to a service hired by the threat actors.

New Royal Ransomware emerges in multi-million dollar attacks, CallBack, Data Exfiltration, Exploit, Ransomware, Royal Group, Zeon

Example of a Royal Zeon callback phishing email Source: AdvIntel

When a victim calls the number, the threat actors use social engineering to convince the victim to install remote access software, which is used to gain initial access to the corporate network.

A Royal victim who spoke to BleepingComputer shared that the threat actors breached their network using a vulnerability in their custom web application, showing the threat actors are also being creative in how they gain access to a network.

Once they gain access to a network, they perform the same activities commonly used by other human-operated ransomware operations. They deploy Cobalt Strike for persistence, harvest credentials, spread laterally through the Windows domain, steal data, and ultimately encrypt devices.

When encrypting files, the Royal encryptor will append the .royal extension to the file names of encrypted files. For example, test.jpg would be encrypted and renamed to test.jpg.royal, as shown below.

New Royal Ransomware emerges in multi-million dollar attacks, CallBack, Data Exfiltration, Exploit, Ransomware, Royal Group, Zeon

Files encrypted by the Royal Ransomware Source: BleepingComputer

A Royal victim also told BleepingComputer that they target virtual machines by directly encrypting their virtual disk files (VMDK). The threat actors then print out the ransom notes on network printers or create them on encrypted Windows devices.

These ransom notes are named README.TXT and contain a link to the victim’s private Tor negotiation page at royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onion. XXX in the ransom note below has been redacted but is unique to the victim.

New Royal Ransomware emerges in multi-million dollar attacks, CallBack, Data Exfiltration, Exploit, Ransomware, Royal Group, Zeon

Royal ransom note Source: BleepingComputer

The Tor negotiation site is nothing special, simply containing a chat screen where a victim can communicate with the Royal ransomware operators.

As part of these negotiations, the ransomware gang will provide the ransom demand, with ransom demands between $250K and over $2 million.

The ransomware gang will also commonly decrypt a few files for the victims to prove their decryptor works and share file lists of the stolen data.

New Royal Ransomware emerges in multi-million dollar attacks, CallBack, Data Exfiltration, Exploit, Ransomware, Royal Group, Zeon

Royal Ransomware Tor negotiation site Source: BleepingComputer

BleepingComputer is unaware of successful payments and has not seen a decryptor for this ransomware family.

While the group previously had a data leak site at zeonrefpbompx6rwdqa5hxgtp2cxgfmoymlli3azoanisze33pp3x3yd.onion when operating as Zeon, it does not appear that one has been launched under the Royal brand as of yet.

However, it is strongly advised that network, windows, and security admins keep an eye out for this group, as they are quickly ramping up operations and will likely become one of the more significant enterprise-targeting ransomware operations.

TECH NEWS RELATED

Researchers unveil evolution of paleodiet at Neolithic Qujialing site

Locations of Qujialing and nearby sites in the middle catchment of Yangtze River. Credit: Frontiers in Plant Science (2022). DOI: 10.3389/fpls.2022.1009452 The sustainable development of agriculture has laid a solid foundation for the birth of human civilization and countries. Early agriculture has long been a focus of archaeology. China ...

View more: Researchers unveil evolution of paleodiet at Neolithic Qujialing site

Searching for new particles using quantum sensors

The left and right parts are new constraints on two types of exotic spin-dependent interactions, as well as limits established by previous experiments. The red line is the upper bound established by our experiment. Credit: Science China Press In a recent study published in the journal National Science Review, ...

View more: Searching for new particles using quantum sensors

Interdisciplinary environmental history: How narratives of the past can meet the challenges of the Anthropocene

Credit: Pixabay/CC0 Public Domain The stories historians tell about society and climate typically take one of two forms: stories in which societies experience catastrophic collapse due to climate change and stories in which societies show resilience, riding out climatic disasters due to the durability of the system’s structures. Now, ...

View more: Interdisciplinary environmental history: How narratives of the past can meet the challenges of the Anthropocene

New paper highlights the co-benefits of coordinating climate action and peacebuilding

Researchers created causal loops that indicate evidence based on correlations around climate mitigation and peacebuilding. Credit: Journal of Peacebuilding & Development Climate change can manifest in different ways: stronger tropical droughts, extreme droughts, warmer climates and highly unpredictable rainfall patterns. All these endanger the availability of food, which in ...

View more: New paper highlights the co-benefits of coordinating climate action and peacebuilding

Astronomers see stellar self-control in action

Composite image of RCW 36. Credit: X-ray: NASA/CXC/Ames Research Center/L. Bonne et al.; Infrared: ESA/NASA.JPL-Caltech/Herschel Space Observatory/JPL/IPAC Many factors can limit the size of a group, including external ones that members have no control over. Astronomers have found that groups of stars in certain environments, however, can regulate themselves. ...

View more: Astronomers see stellar self-control in action

Team creates nano-magnets that could restore damaged nerve cells

Modular magnetic devices for applying local magnetic fields. Applying magnetic fields using A) 4 mm diameter pinhole parallelly-aligned and beehive-like magnetic devices. B) 1.5 cm diameter ring magnet. i) Illustrations of magnetic devices. In blue: pores are arranged in a beehive-like pattern, in red: pores are arranged in parallel lines. ii) ...

View more: Team creates nano-magnets that could restore damaged nerve cells

Oldest Pterodactylus fossil found in Germany

Pterodactylus antiquus, DMA-JP-2014/004, from the Upper Jurassic (Kimmeridgian) Torleite Formation of Painten; overview photograph. Credit: Augustin et al. Pterosaurs, the flying reptiles of the dinosaur era, originated in the Late Triassic (227 million years ago) and became extinct at the end-Cretaceous extinction event (66 million years ago). With wing ...

View more: Oldest Pterodactylus fossil found in Germany

Are we there yet? Time slows down on crowded train

Virtual rides on a New York City subway seemed to take longer as crowding levels increased, Cornell researchers found. Credit: Cornell University Testing time perception in an unusually lifelike setting—a virtual reality ride on a New York City subway train—an interdisciplinary Cornell research team found that crowding makes time ...

View more: Are we there yet? Time slows down on crowded train

Plastic to metal, steel to aluminum: The future of welding and lightweight vehicles

Competitors chip away at Tesla's US electric vehicle share

Smart inverters' vulnerability to cyberattacks needs to be identified and countered, according to researchers

Stash your Apple Watch on the go with WaterField’s new Time Travel Case

Splatoon 3 Ver. 2.0.0 patch notes are here

Indie Metroidvania card-building shmup The Knight Witch out now

Distributed Denial of Service Attack: Prevention and Best Practices

Plastic additives found to contaminate the sea and selectively harm corals' reproductive processes

Magnetic material mops up microplastics in water

Flexible strain sensor enabled by carbon nanofibers can 'read lips'

Get a handle on Big Data with this certification training bundle deal

Best Streaming Deals on HBO Max, Disney Plus, Hulu, More

OTHER TECH NEWS

Top Car News Car News