05 January 2023  — 
MSP Threats Security Team

Royal ransomware’s actors make high demands

Summary

  • Discovered in 2022
  • Samples are PE64 executables, written in C/C++
  • Discovers other computers in the local network, scans for network shares and deletes shadow copies
  • Can be executed only with a specified ID given as an argument
  • Can encrypt particular folders and percentages of file
  • Encrypts files using AES and RSA algorithms from OpenSSL library
  • Encrypted files have ‘.royal’ extension

Introduction

Royal ransomware was first spotted in January 2022, targeting different corporations. This group does not provide ransomware-as-a-service. The attackers demand figures ranging from $250,000 to over $2 million from their victims.

On December 1, 2022, Royal ransomware was used to attack the telecom provider Intrado, with the gang demanding $60 million in ransom. We have not yet seen the leaked data, but the criminals shared a ~50 MB archive with some stolen files (including passports and other documents) as proof of breach.

Technical details

Overview

The Royal ransomware sample (sha256:5fda381a9884f7be2d57b8a290f389578a9d2f63e2ecb98bd773248a7eb99fa2) is a PE64 executable, not packed or obfuscated and written in C/C++:

Acronis

Execution

The Royal ransomware sample was developed as a console application. At the start of execution, it takes parameters using the CommandLineToAtgW() function.

Acronis

These arguments are:

  • -path — the path to files that must be encrypted
  • -id — 32-byte victim’s ID
  • -ep — encryption percentage of the file

Royal ransomware requires the ID parameter — without it, encryption will not begin.

After receiving parameters, the malware deletes all volume shadow copies using the ‘vssadmin.exe’ tool. The interesting thing is that this operation occurs before checking the ID parameter, so even if this parameter was not provided (or is wrong), Royal deletes shadow copies from the system.

Acronis

The ID parameter must be a 32-byte value. This is the only check of this ID, so any 32-character value in this parameter will cause the program to start the execution.

Acronis

The next routine is to check if there are other computers on the network. To do this, it begins with use of the Winsock DLL and then retrieves the interface–to–IPv4 address mapping table using the GetIpAddrTable() function.

Acronis

Royal then creates a socket that is bound to a specific transport-service provider with the WSASocketW() function, using the following arguments:

  • af = 0x2 — AF_INET (The Internet Protocol version 4 (IPv4) address family)
  • type = 0x1 — SOCK_STREAM (A socket type that provides sequenced, reliable, two-way, connection-based byte streams with an OOB data transmission mechanism)
  • protocol = 0x6 — IPPROTO_TCP (The Transmission Control Protocol (TCP))
  • g = 0 – No group operation is performed
  • dwFlags = 0x01 — WSA_FLAG_OVERLAPPED (Creates a socket that supports overlapped I/O operations)

After that, the created I/O completion port is associated with a TCP socket using the CreateIoCompletionPort() function.

Acronis

Then it begins to connect to other hosts on the network via port 445:

Acronis
Acronis

Royal can enumerate all available shares on the system using the ‘NetShareEnum’ function call. It will scan shares, and if the found name matches with the “ADMIN$” or “IPC$” strings, it will skip them during encryption.

Acronis

File encryption

Once executed, Royal adds a stored list of extensions to the exclusion list. The strings are encoded in HEX format in reverse order. The decrypted strings look as follows:

0x7400610062002Ei64 – .bat
0x6C006C0064002Ei64 – .dll
0x6500780065002Ei64 – .exe
0x7400610062002Ei64 – .lnk
.royal

In addition to file extensions, it excludes some folders from encryption:

Acronis

To prevent the use of targeted files by other applications, Royal restarts the ‘explorer.exe’ process using Restart Manager API calls.

Acronis
Acronis

Before starting the encryption process, Royal checks the system information to know how many threads it can spawn. Threads will be started with the ‘sub_7FF6C88F870’ function start address.

Acronis

This function contains the main encryption routine. First, it loads an RSA public key hardcoded in the sample.

Acronis

It loads these modules, which are part of the OpenSSL crypto library.

Acronis

Royal obtains all available logical drives in the system with GetLogicalDrives() function and drops a ransom note titled “README.txt” on each found drive.

Acronis

Then, it starts searching files using the FindFirstFileW() and FindNextFileW() functions. When an appropriate file is found, it reads the content with ReadFile() and encrypts it using AES-256 algorithm from the OpenSSL library. All encrypted files get ‘.royal’ extension.

Acronis

Royal also writes encryption key, file size, and percentage of encrypted data (‘0x64’ = 100%) to the footer at the end of the file.

Acronis

Ransom note

The ransom note contains a URL to contact criminals that includes the victim’s ID, which was provided as a command line argument.

Acronis

Data leak site

Because the ID was chosen randomly, the URL to the victims' leak site is not valid. The data leak site suggests contacting the criminals.

Acronis

Conclusion

The Royal ransomware group started its operations in the beginning of 2022, and has successfully breached various companies while demanding high ransoms.

The ransomware uses the OpenSSL library to encrypt users’ files. It can search for other computers on the local network, encrypt files in shared folders, delete shadow copies and terminate the ‘explorer.exe’ process to obtain access to files. It must be executed with provided 32-byte ID as an argument, and it can encrypt specific folders and even percentages of the file. All encrypted files get the ‘.royal’ extension. The encryption key, file size, and encryption percentage are added to the end of the file.

Detected by Acronis

Acronis

IoCs

Files

SHA256
5fda381a9884f7be2d57b8a290f389578a9d2f63e2ecb98bd773248a7eb99fa2

Network indicators

URL
http://royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onion/[Unique victim ID]