FBI releases joint advisory alert against the Royal ransomware gang

On Thursday 2nd of March 2023, the United States Federal Bureau of Investigation (FBI) released a joint TLP:WHITE cybersecurity advisory which revealed threat actors have been using the Royal ransomware since September 2022 where they have targeted numerous critical infrastructure sectors including, but not limited to, Manufacturing, Communications, Healthcare and Public Healthcare (HPH), and Education. It is believed that the current variant evolved from earlier iterations that used “Zeon” as a loader as they now use their own custom-made file encryption program. It has been observed that the threat actors have made ransom demands ranging from approximately $1 million to $11 million in Bitcoin. However, the threat actors do not include ransom amounts and payment instructions as part of the initial ransom note. Instead, the note states that the victims are required to directly interact with the threat actor via a .onion URL to establish the ransom demand.

This joint cybersecurity advisory was released in coordination with the Cybersecurity and Infrastructure Security Agency (CISA) to provide key cyber threat information to disseminate known Royal ransomware IOCs and TTPs associated with ransomware variants identified through FBI investigations as recently as January 2023. The advisory also revealed that the FBI have observed incidents where Royal actors disable antivirus software and exfiltrate large amounts of data after gaining access to victims’ networks, before ultimately deploying the ransomware and encrypting the systems In the alert, the FBI asked for any information related to the Royal ransomware to be shared with them. This information can include “boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Royal actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.”