Royal Ransomware Puts Novel Spin on Encryption Tactics

An emerging cybercriminal group linked with Conti has expanded its partial encryption strategy and demonstrates other evasive maneuvers, as it takes aim at healthcare and other sectors.

Serbian Royal Crown Insignia
Source: Serbia Pictures, Adam Radosavljevic via Alamy Stock Photo

The Royal ransomware gang has quickly risen to the top of the ransomware food chain, demonstrating sophisticated tactics — including partial and rapid encryption — that researchers believe may reflect the years of experience its members honed as leaders of the now-defunct Conti Group.

Royal ransomware operates around the world, and reportedly on its own; it does not appear that the group uses affiliates through ransomware-as-a-service (RaaS) or to target a specific sector or country. The group is known to make ransom demands of up to $2 million and claims to have published 100% of the data it extracts from its victims.

A deeper dive into how the Royal ransomware group works shows a surefooted and innovative group with varied ways to deploy ransomware and evade detection so it can do significant damage before victims have a chance to respond, researchers from the Cybereason Security Research & Global SOC Team revealed in a blog post published Dec. 14.

One key aspect of Royal's tactics is the concept of partial encryption, where it locks up only a predetermined portion of file content rather than all of it. While partial encryption is not a new tactic, it is key to Royal's strategy, with the group taking it to a new level not seen much before in ransomware activity, the researchers said.

Recently, for instance, Royal has expanded the idea by basing the tactic on flexible-percentage encryption that can be tailored to the target, thus making detection more challenging, the Cybereason researchers said.

The group also employs multiple threads to accelerate the encryption process, giving victims less time to stop it once it starts, and the encryption also initially starts and deploys in different ways, which also makes detection challenging, according to Cybereason.

Taking the Crown as a Rapidly Evolving Threat

The US Department of Health and Human Services sounded an alarm last week about Royal ransomware specifically targeting the healthcare sector; however, the group has been active since early this year and appears agnostic when it comes to its victims, the researchers noted.

"The group does not seem to focus on a specific sector, and its victims vary from industrial companies to insurance companies, and more," the Cybereason researchers wrote.

While Royal began its activity by deploying other types of ransomware, by September the rapidly evolving cybercriminal group had developed its own. And by November, Royal ransomware was reported to be the most prolific ransomware in the e-crime landscape, dethroning the dominant Lockbit for the first time in more than a year, the researchers said.

And even though Royal sets its sites on a diverse range of victims, its targeting of the healthcare sector demonstrates that the group is likely as ruthless as Conti was before it, noted one security expert.

"While some larger ransomware gangs have demonstrated scruples at either avoiding targeting healthcare institutions or providing decryption keys at no cost, it's clear that is not the case when it comes to Royal ransomware," says Shawn Surber, senior director of technical account management at Tanium, a converged endpoint management provider.

Targeting the healthcare industry could literally mean life or death for some of those affected by a ransomware attack, given that it can prevent clinicians from having access to key patient data, he says. This sector also tends to have a dearth of cybersecurity funds to defend itself against ransomware and other cyber threats, making it especially vulnerable, Surber says.

"This is especially concerning considering virtually any outage or disruption in operations will cause a financial — and often physical — impact in a patient care setting," he says.

A New Twist on Partial Encryption

While most ransomware bases partial encryption only on the file size, then encrypts a set percentage of the file the same way each time, Royal ransomware lets the operator choose a specific percentage and lower the amount of encrypted data even if the file size is large, the researchers said.

When a targeted file is being encrypted, the ransomware calculates the percentage to encrypt and divides the file content — encrypted and unencrypted — into equal segments, researchers explained in the post. The fragmentation — and thus the low percentage of encrypted file content that results — lowers the chance of being detected by anti-ransomware solutions.

"This ability to change the amount of the file to be encrypted gives Royal ransomware an advantage when it comes to evading detection by security products," the researchers noted.

The file size that Royal chooses for its partial encryption threshold — 5.24MB — also is the same as what Conti Group used in the past, encrypting 50% of a file in a divided manner if it was over this size, "much like Royal ransomware," the researchers wrote.

Though it's widely believed that Conti's former operators are behind Royal, this similarity is not strong enough evidence to confirm that link definitively, the researchers added.

Another technique unique to Royal is how it multithreads encryption, choosing the number of running threads by using the API call GetNativeSystemInfo to collect the number of processors in a machine, the researchers divulged. It will then multiply the result by two and create the appropriate number of threads accordingly. This allows for rapid encryption, another show of sophistication by the group, the researchers said.

Shielding the Enterprise From a Royal Threat

To avoid rolling out the red carpet for Royal and other ransomware, researchers recommend that enterprises deploy a multilayer approach to malware protection that leverages threat intelligence, machine learning, anti-ransomware, next-generation antivirus, and variant payload-prevention capabilities.

For healthcare organizations with limited cybersecurity resources that may not have such tools in their arsenal, one security expert advised the adoption of low-code security automation to help detect and respond to threats in real time by allowing complete visibility into IT environments.

"Endpoint security tools that integrate low-code security automation give healthcare organizations a cohesive protection strategy that protects patients and employees from data theft and extortion," Daniel Selig, security automation architect at security automation provider Swimlane, tells Dark Reading.

About the Author

Elizabeth Montalbano, Contributing Writer

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights