A Royal update

The latest and greatest on the Royal ransomware operation…

Introduction

Royal ransomware

TTP overview

Highlights

A shoutout to proxylife(https://twitter.com/pr0xylif)e on Twitter who follows this malware and shares details on the configuration and execution flow.

UAC Bypass
To run their malicious scripts the Royal group used a very interesting UAC bypass with a default scheduled task, this a known technique, but first time spotted in the wild for us. The interesting part is that it’s very easy to miss what is going on, this event is logged in PowerShell when this bypass is executed:

To learn more about this technique check out this blog by Elastic.

Hunting/Detection tips

  • Scheduled Tasks in the Application Event Log;
  • PowerShell activity, by default Windows 7+ endpoints logs PowerShell activities quite well;
  • Window service installations, often used for persistence by Cobalt Strike.

Takeaways

  • Heavy reliance on PowerShell to achieve objectives and used throughout the attack phases;
  • PowerSploit and AdFind remain popular choices for ransomware groups to perform reconnaissance and privilege escalation activities;
  • Speed over stealth approach, Royal ransomware operators move very quickly from initial access to full domain compromise without caring too much for alerts that are triggered by security products;
  • Relying on multiple backdoors and persistent access through Qbot and Cobalt Strike beacons;
  • Multiple data exfiltration destinations we’ve seen the Dropbox and MegaSync application being installed and used;
  • Scheduled tasks used for persistence and ransomware deployment.

About Invictus Incident Response

🆘 Incident Response support reach out to cert@invictus-ir.com or go to https://www.invictus-ir.com/247

📧 Questions or suggestions contact us at info@invictus-ir.com

--

--

We are an incident response company specialised in supporting organisations facing a cyber attack. We help our clients stay undefeated!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Invictus Incident Response

We are an incident response company specialised in supporting organisations facing a cyber attack. We help our clients stay undefeated!