Royal Ransomware with updated features

  Malware Research   Jun 8, 2023   0  Add to Reading List
Royal Ransomware with updated features

INTRODUCTION

Royal Ransomware is among a recent group of Ransomware to have caused a havoc across the sectors in various countries. Before getting into the functionalities of the ransomware, let’s get started with some background of Royal Ransomware.

The Royal ransom group emerged in early 2022, based on the ransomware structural pattern and functionality it is alleged that it was started by former members of Notorious “Conti” Ransom group. Conti Ransom group and its infrastructure was taken down on May 2019 after the leak of its source code. But that didn’t stop the group from functioning, it rebranded to a different ransomware group such as Black Basta, Black Byte.

According to CISA and FBI that Royal was linked to previous ransomwares named “Zeon” based on the file encryptors and the Ransom note it used from the Ransomware. Later on, they started using their own File Encryptors method.

 Unlike many other Ransomwares which operated as RAAS (Ransomware-As-a-Service) model, Royal operated in private or semi-autonomous model. The semi-autonomous model works in a way where the group coordinate with multiple other ransomware groups for the services such as reusing the file encryptors, ransom note, deep site infrastructure.

FUNCTIONALITY

Command Line Arguments

                             The ransomware takes 3 arguments as shown in the below table

Arguments

Description

-id

Mandatory field. Unique machine-ID of size 32

-path

Provided Path to start recursively encrypt the files

-ep

Encryption percentage, if 50% is given then 50% of the file is encrypted

-disablesafeboot

Removes system safeboot using bcdedit

-noprotect

Functionality InProgress

 

The id represents the unique machine id generated for the victim that is used in communication. The path and ep fields that represents the path used for encrypting the files inside, if no path is provided then by default all the location is taken for encrypting the files. The ep field represents the encryption percentage of the file, by default 50% encryption is done on the file.  The new variant is found using 2 new parameters “disablesafeboot” and “noprotect”.

For the disablesafeboot parameter it checks for IsWow64Process to see if it running under wow64 system and invokes the respective bcdedit parameters to disable safe boot.

Arguments as shown below

                   

                  It also checks if the string length of the ID matches ‘32’ (len of Victim ID), and if not then then it exists.

Removal of Backup Storage

                             After checking the first condition on running arguments, it immediately removes the backup storage using the vssadmin command “vssadmin.exe delete shadows /all /quiet”. In recent times the abuse of legitimate Microsoft tool “vssadmin by ransomware is seemingly increased. The other functionality of the ransomware is started after the removal of backup storage.

Local Network Scanning

              Royal ransomware scans the local Network starting the IP addresses with “192” or “10” or “100” or “172”. It checks to see if there are any network shares are connected to the system, so that it can enumerate the network path and try to infect the files inside the shared paths.

Royal uses TCP Socket connection to establish connection to an established network and it uses WSAIoctl API to invoke handler to use the ConnectEx function. It uses the WSASocketW to establish a socket and will link it to completion port API CreateIOCompletionPort. The API htons is set to SMB Port “445”.

 

It checks for the shared network paths and checks for SMB Shared paths with ADMIN$ or IPC$

Restart Manager

                             Royal ransomware uses another interesting technique “Restart Manager” to lock the files for encryption. Before starting the Encryption, the file is checked in Restart Manager to see if the file is locked by any other resources. The main aspect of Restart Manager is to lock the resources or files which is used for encryption. This functionality is used by some of the notorious ransomware groups to name a few such as Revil, Conti, Samsam.

·       Registers a session using the RmStartSession and gets the list of resources or file names to register using the RmRegisterResources

·       The list of processes obtained is passed to RmGetList API

·       The running processes are iterated using CreateToolhelp32Snapshot, Process32FirstW, Process32NextW to check for explorer.exe and ransomware file to avoid being shutdown

·       Other files which are having the lock to the resources are terminated using the RmShutDown

     

 

Cryptographic Algorithm


The royal ransomware stores the RSA Public key in simple plain text and it uses an open source ssl library openssl for generating AES and Initialization Vector (IV) file encryption.

In Previous version of Royal, the file contained some debug artifacts “c:\users\wadoc\Desktop\vcpkg\buildtrees\openssl\...” looks like the attacker with build location named “wadoc” based on openssl package files in the system location

This version of Royal contained the path

Ransomware using the openssl crypto lib functions as shown below

File Encryption

The ransomware uses multi-threading for efficient and faster method for encrypting the files. Before going into threading, it first checks for number of processors using the GetNativeSystemInfo in order to check the system capacity for threading so as to avoid disproportionately threading.

The ransomware excludes the following file extensions

.exe , .dll , .bat,  .lnk

and locations windows, mozilla, $recycle.bin, perflogs, tor browser, boot, $windows.~ws, $windows.~bt, windows.old

So as the system is stable and require to maintain communication with the attacker for extorting the ransom

Once the files are encrypted, it appends the file with infection marker “royal_w”

After the task is done, it restarts the system using the ShellExecuteW command “shutdown.exe" "/r /t 0

Ransom Note

Communication via Royal Ransomware Onion Site

The ransom note contains the Tor link to connect to Royal Ransomware site “hxxp[:]//royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onion”, the site is still active while analyzing the file.

CONCLUSION

  The Royal ransomware is getting updated with new functionalities and features, the current version contains 2 new arguments “disablesafeboot” and “noprotect”,  system reboot feature and Mutex. The remaining features of current version remains the same. As there are collaborations among ransomware groups on sharing the ransomware utilities or modules and other infrastructures, we could see each day a new ransomware gets sprouted. 

Follow the best practices and  recommendations to prevent Ransomware Infection

IOC’S

beef7e428f26c583dd92962cbe886f2e4286825a1637b7a427ce84139ab6307a

64436792f8beb4bd6e095b1a2f7e493a8eb85170c7113acefc916098013c46c9

595c869f8ec7eaf71fef44bad331d81bb934c886cdff99e1f013eec7acdaf8c9

REFERENCES

·       https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a

·       https://github.com/openssl/openssl/blob/master/crypto/pem/pem_oth.c

Tags

What's Your Reaction?

like

dislike

love

funny

angry

sad

wow