Royal ransomware entered the stage in 2022 and quickly became a nuisance for cyber analysts. Logpoint's research team has investigated the ransomware to uncover how analysts can detect and respond to the developing threat.
Logpoint's investigation revealed that Royal stops services and kills processes to set up a precondition for the ransomware to detonate. Adversaries use scheduled task functionality to facilitate single or repetitive execution of malicious codes, launching the ransomware. The malware enumerates shared resources on the network to encrypt the shared folder and deletes volumes of shadow copies of the drives to prevent recovery from them.
Doron Davidson, VP Logpoint Global Services said, "royal stands out as a ransomware provider because it doesn't have affiliates. The ransomware uses various tactics and techniques to reach its goal, like redirecting users using Google ads, sending phishing emails, and personal interactions based on callback phishing. Despite the many ways to gain initial access, the ransomware deploys in later stages, providing organisations with an opportunity to detect it before it wreaks havoc."
To protect your organisation against Royal ransomware, Logpoint recommends monitoring the infrastructure for stopped services and killed processes, monitoring for the creation of scheduled tasks and related events using the schtasks binary, and monitoring for access to multiple share folders in a short span from the same user and hosts
Doron added, "it's important that organisations have the right cybersecurity resources in place. Leveraging the technological advancements in cybersecurity can accelerate threat detection, investigation, and response. For example, automatic incident detection and response can improve cyber intelligence and reduce cyber risk. Investing in advance in Penetration Testing and similar cybersecurity services will reduce the need to pay for Royal’s Pentesting services."
