Former Conti Hackers using Royal Ransomware

10921093279?profile=RESIZE_400xThe popular Royal ransomware is being used by skilled bad actors who used to be part of Conti Team One.  Between September and December 2022, Royal ransomware was used in numerous cyberattacks, which earlier this month prompted the US Department of Health and Human Services (HHS) cyber analysts to warn healthcare organizations of the risks associated with this threat.  Royal is the rebranded version of Zeon ransomware, which emerged earlier this year and was associated in August 2022 with Conti Team One, one of the groups involved in the distribution of the Conti ransomware.[1]

Red Sky Alliance has reported on Conti in the past, see:  https://redskyalliance.org/xindustry/resurgence-of-conti-ransomware

In April 2022, after the Conti gang openly expressed their support for the Russian invasion of Ukraine, an individual claiming to be a Ukrainian cybersecurity researcher leaked large amounts of information belonging to the ransomware, and that operation was shut down in May 2022.

There were three alleged groups of cybercriminals behind Conti, with one of them switching to Quantum ransomware, another operating the Black Basta, Karakurt and Blackbyte ransomware families, and now Royal.  Blackbyte was shut down by authorities in early 2022.  Typically distributed via callback phishing techniques that lure victims into installing remote access software.  Royal ransomware has been used in attacks targeting mainly entities in the US and Brazil.

See:  https://redskyalliance.org/main/search/search?q=black+basta

Conti seems to like attacking South American countries.  To give some examples, ransomware attacks affected government services in Quito, Ecuador; targeted Chile’s judicial system and the National Consumer Service (Sernac); as well as impacted operations that are dependent on the digital platforms of the Colombian sanitary authority (Invima) and companies’ oversight agency (Supersociedades).  Probably the most extensive attack took place in Costa Rica, disrupting government services and leading its president to declare a national emergency.[2]

The Conti group, responsible for Costa Rica’s first hit in April, has also accessed two email boxes belonging to the Intelligence Division of Perú’s Ministry of Interior (DIGIMIN), seeking a ransom in order not to publish the information obtained.  Conti’s message states there was no data encryption in DIGIMIN’s network, and that almost all documents the group downloaded were classified as secret.  According to media reports analyzing what Conti eventually published online, DIGIMIN has monitored under the label of “terrorism,” public events about missing persons and forced disappearances even when government entities were the organizers. The state's arbitrary monitoring of human rights defenders, political parties, journalists, and opposition leaders came more strongly into the spotlight with the “Guacamaya Leaks.”

Using remote access malware, Royal ransomware’s operators would then drop additional tools onto the compromised system, including QakBot and Cobalt Strike for lateral movement; NetScan to identify systems connected to the network; and PCHunter, PowerTool, GMER, and Process Hacker to disable security products.  These criminal hackers also used RClone to exfiltrate victims’ data, AdFind to search for active directories, RDPEnable for remote desktop connections, and PsEXEC to execute the ransomware.

Royal deletes shadow copies on the system to prevent data recovery and it increases the speed of encryption by running threads on all processors on the system and by using a form of intermittent encryption.  The ransomware drops a ransom note in each directory it traverses.

Attackers can execute the ransomware program with three command line arguments: one that specifies the path to be encrypted, one that specifies what percentage of every file's content will be encrypted, and one that provides a unique ID to identify the victim.

When operated, the program first launches the vssadmin.exe Windows utility to delete all shadow copies of the file system, a standard routine that most ransomware applications use to prevent file recovery from the Windows backup mechanism.  Next, it sets several file types and directory for exclusion from the encryption routine.  This includes executable files, the entire Windows folder so it does not disrupt the OS operation, and the Tor browser folder, which is needed for the victim to access the group's ransom portal on the Tor network.

The program then launches a network scan to identify computers on the same network and then attempts to connect to them using the SMB protocol to determine if they share any folders.  This is done to build a list of external network file shares to encrypt in addition to the local files on the computer.

The encryption process is multi-threaded, and the number of threads is usually double the amount of CPU cores listed by the system.  The file encryption is done through the OpenSSL library with the AES256 cipher, and the AES encryption key of each file is then encrypted with a public RSA key that's hardcoded in the ransomware program.  This ensures only the attackers can recover the AES keys using the private RSA key in their possession.

Before encrypting files, the program uses the Windows Restart Manager to check if the targeted files are currently being used by other services or applications and kills those applications if they are.  It then locks them inside encryption.

What is interesting in the encryption routine is the flexible partial encryption of files that are larger than 5.245 MB based on the percentage passed as a command line argument.  While partial file encryption itself is not a new tactic and other ransomware programs use it as well to speed up the process, the capability to customize how much of a file to encrypt is new and can have implications for security programs that usually monitor changes made to files to catch possible ransomware attacks.

This encryption mechanism, as well as other tactics used by Royal, has similarities to Conti.  For example, the Conti ransomware also used 5.24MB as a threshold for partial encryption and then divided the file into multiple equal parts, encrypting one and skipping one.  The difference is that Conti encrypted 50% of those parts, resulting in a more uniform pattern that security products could detect.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com      

Weekly Cyber Intelligence Briefings:

  • Reporting: https://www. redskyalliance. org/   
  • Website: https://www. wapacklabs. com/  
  • LinkedIn: https://www. linkedin. com/company/64265941   

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989

[1] https://www.securityweek.com/researchers-link-royal-ransomware-conti-group

[2] https://www.eff.org/deeplinks/2022/12/hacking-governments-and-government-hacking-latin-america-2022-year-review

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!