New Royal ransomware group evades detection with partial encryption

A new ransomware group dubbed Royal that formed earlier this year has significantly ramped up its operations over the past few months and developed its own custom ransomware program that allows attackers to perform flexible and fast file encryption. “The Royal ransomware group emerged in early 2022 and has gained momentum since the middle of the year,” researchers from security firm Cybereason said in a new report. “Its ransomware, which the group deploys through different TTPs, has impacted multiple organizations across the globe. The group itself is suspected of consisting of former members of other ransomware groups, based on similarities researchers have observed between Royal ransomware and other ransomware operators.”

Royal ransomware group tactics

The Royal ransomware group’s tactics bear similarities to those of Conti, prompting suspicion that it’s partly made up of former members of the infamous group that shut down in May 2022. When it originally started its operations in January, Royal relied on third-party ransomware programs such as BlackCat and Zeon, but by September it shifted to its own custom-made file encryption program.

Since then, the group has made dozens of victims from various industry sectors, including the Silverstone motor racing circuit in London. However, most of the victims are from the US, and some early statistics suggest the group managed to overtake LockBit as the leading ransomware threat in November.

The Royal group uses phishing as an initial attack vector, as well as third-party loaders such as BATLOADER and Qbot for distribution. Initial access is followed by the deployment of a Cobalt Strike implant for persistence and to move laterally inside the environment in preparation for dropping the ransomware payload.

Partial encryption can evade detection

Attackers can execute the ransomware program with three command line arguments: one that specifies the path to be encrypted, one that specifies what percentage of every file’s contents will be encrypted, and one that provides a unique ID to identify the victim.

When run, the program first launches the vssadmin.exe Windows utility to delete all shadow copies of the file system, a standard routine that most ransomware applications use to prevent file recovery from the Windows backup mechanism. Next, it sets several file types and directory for exclusion from the encryption routine. This includes executable files, the entire Windows folder so it does not disrupt the OS operation, and the Tor browser folder, which is needed for the victim to access the group’s ransom portal on the Tor network.

The program then launches a network scan to identify computers on the same network and then attempts to connect to them using the SMB protocol to determine if they share any folders. This is done to build a list of external network file shares to encrypt in addition to the local files on the computer.

The encryption process is muti-threaded, and the number of threads is usually double the amount of CPU cores listed by the system. The file encryption is done through the OpenSSL library with the AES256 cipher, and the AES encryption key of each file is then encrypted with a public RSA key that’s hardcoded in the ransomware program. This ensures only the attackers can recover the AES keys using the private RSA key in their possession.

Before encrypting files, the program uses the Windows Restart Manager to check if the targeted files are currently being used by other services or applications and kills those applications if they are. It then locks them for encryption.

The interesting aspect in the encryption routine is the flexible partial encryption of files that are larger than 5.245 MB based on the percentage passed as a command line argument. While partial file encryption itself is not a new tactic and other ransomware programs use it as well to speed up the process, the capability to customize how much of a file to encrypt is new and can have implications for security programs that usually monitor changes made to files to catch possible ransomware attacks.

“The fragmentation and possibly low percentage of encrypted file content that results lowers the chance of being detected by anti-ransomware solutions,” the researchers said.

This encryption mechanism, as well as other tactics used by Royal, has similarities to Conti. For example, the Conti ransomware also used 5.24MB as a threshold for partial encryption and then divided the file into multiple equal parts, encrypting one and skipping one. The difference is that Conti encrypted 50% of those parts, resulting in a more uniform pattern that security products could detect.

“This similarity raises the question of whether the Royal ransomware authors have a connection to the Conti group, but on its own, it is not strong enough to suggest a direct or definitive connection,” the Cybereason researchers said.

Finally, encrypted files will have the .royal extension appended to them and a ransom note called README.TXT will be written into every directory that’s not on the exclusion list.