FortiGuard Labs is aware that the Cybersecurity and Infrastructure Security Agency (CISA) recently released an advisory on Royal ransomware as part of its #StopRansomware effort. The advisory states that Royal ransomware compromised multiple organizations globally starting late 2022. The threat actor is known to use malware and dual-use tools to establish persistence, move laterally in the compromised networks and exfiltrate data from victims and ultimately lock victim machines for monetary gain.Why is this Significant?This is significant because CISA released the advisory for Royal ransomware for public awareness purposes. Due to its worldwide campaign starting last September, Royal has been attributed to many attacks in recent months and is gaining traction and severity due to observed attacks targeting critical infrastructure, such as Manufacturing, Communications, Healthcare and Public Healthcare (HPH), and Education verticals.What is Royal ransomware?Royal is a relatively new ransomware, having been around since at least the start of 2022. The group initially used Windows versions of Royal ransomware; however a Royal ransomware variant that can infect ESXi was observed in 2023. The Royal ransomware objective is to compromise victims’ networks, exfiltrate information, deploy Royal ransomware for file encryption and ultimately extort money from the victims for file decryption and preventing data leaks.According to the advisory, Royal ransomware infection vectors include emails, malvertising campaigns, Remote Desktop Protocol (RDP) compromise, exploiting internet-facing applications and gaining access from initial access brokers.Tools used by Royal ransomware threat actor include Chisel for C2 communication, PsExec for lateral movement, AnyDesk, LogMeIn, and Atera, to establish persistence, and Cobalt Strike and Ursnif/Gozi malware to exfiltrate data.Typically, Royal ransomware adds a “.royal” file extension to encrypted files and leaves “README.txt” as a ransom note. FortiGuard Labs previously posted blogs on Royal ransomware. See the Appendix for a link to “Ransomware Roundup: Royal Ransomware” and “Royal Ransomware Targets Linux ESXi Servers”.What is the Status of Protection?FortiGuard Labs has the following AV signatures in place for the available samples called out in the advisory:W32/Chisel.A!trBAT/Agent.E949!trBAT/Agent.70c4!trPowerShell/Agent.FGA!trRiskware/NsudoW32/PossibleThreatFortiGuard Labs has the following AV signatures in place for known samples of Royal ransomware:W32/Ransom_Royal.FFBJFIM!trW32/Royal.D779!tr.ransomW32/Royal.47AC!tr.ransomW64/Royal.CF4E!tr.ransomLinux/Filecoder_Royal.A!trW32/PossibleThreatNetwork IOCs in the advisory are blocked by the FortiGuard Webfiltering client.
More Stories
cups-2.4.10-7.fc39 cups-browsed-2.0.1-3.fc39 libcupsfilters-2.1~b1-3.fc39 libppd-2.1~b1-2.fc39
FEDORA-2024-cf6ab63871 Packages in this update: cups-2.4.10-7.fc39 cups-browsed-2.0.1-3.fc39 libcupsfilters-2.1~b1-3.fc39 libppd-2.1~b1-2.fc39 Update description: Fix for remote vulnerabilities against OpenPrinting cups-filters Read More
cups-2.4.10-7.fc40 cups-browsed-2.0.1-3.fc40 libcupsfilters-2.1~b1-3.fc40 libppd-2.1~b1-2.fc40
FEDORA-2024-01127974ec Packages in this update: cups-2.4.10-7.fc40 cups-browsed-2.0.1-3.fc40 libcupsfilters-2.1~b1-3.fc40 libppd-2.1~b1-2.fc40 Update description: Fix for remote vulnerabilities against OpenPrinting cups-filters Read More
cups-2.4.10-7.fc41 cups-browsed-2.0.1-3.fc41 libcupsfilters-2.1~b1-3.fc41 libppd-2.1~b1-2.fc41
FEDORA-2024-3fc82fed09 Packages in this update: cups-2.4.10-7.fc41 cups-browsed-2.0.1-3.fc41 libcupsfilters-2.1~b1-3.fc41 libppd-2.1~b1-2.fc41 Update description: Fix for remove vulnerabilities against OpenPrinting cups-filters Read More
USN-7045-1: libppd vulnerability
Simone Margaritelli discovered that libppd incorrectly sanitized IPP data when creating PPD files. A remote attacker could possibly use this...
USN-7044-1: libcupsfilters vulnerability
Simone Margaritelli discovered that libcupsfilters incorrectly sanitized IPP data when creating PPD files. A remote attacker could possibly use this...
USN-7043-1: cups-filters vulnerabilities
Simone Margaritelli discovered that the cups-filters cups-browsed component could be used to create arbitrary printers from outside the local network....