{"id":21429,"date":"2023-03-07T16:10:17","date_gmt":"2023-03-08T00:10:17","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2023\/03\/07\/news-15160\/"},"modified":"2023-03-07T16:10:17","modified_gmt":"2023-03-08T00:10:17","slug":"news-15160","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/03\/07\/news-15160\/","title":{"rendered":"Warning issued over Royal ransomware"},"content":{"rendered":"<p>As part&nbsp;of its&nbsp;<a href=\"https:\/\/www.cisa.gov\/stopransomware\" target=\"_blank\">StopRansomware<\/a> effort, the Cybersecurity and Infrastructure Security Agency (CISA) has published a Cybersecurity Advisory (CSA) about Royal ransomware.<\/p>\n<p>Royal ransomware is a Ransomware-as-a-service (Raas) that first made an appearance in January 2022. In September of that year, it began calling itself Royal ransomware, and then&nbsp;in November&nbsp;it really made a name for itself by boldly taking the lead in&nbsp;our&nbsp;<a href=\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/01\/ransomware-in-november-2022\">monthly statistics<\/a>.<\/p>\n<p>After November, it handed back top place to <a href=\"https:\/\/try.malwarebytes.com\/2023-state-of-malware\/?utm_source=blog&amp;utm_medium=social&amp;utm_campaign=b2b_ws_global_som_167578574700\">Lockbit<\/a>, but has remained one of the top five most prevalent ransomware strains.&nbsp;<\/p>\n<p>According to the <a href=\"https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa23-061a\" target=\"_blank\">CSA<\/a>, the group behind Royal:<\/p>\n<ul>\n<li>Have made ransom demands ranging from approximately $1 million to $11 million USD in Bitcoin.<\/li>\n<li>Are known to disable anti-virus software on the affected systems.<\/li>\n<li>Have targeted numerous critical infrastructure sectors including manufacturing, communications, healthcare, and education.<\/li>\n<li>Steal data from infiltrated networks which they threaten to publicize on their leak site to increase the leverage on the victim.<\/li>\n<\/ul>\n<p style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/03\/easset_upload_file74738_260825_e.jpg\" alt=\"screenshot Royal leak site\" width=\"700\" height=\"1467\" style=\"display: block; margin-left: auto; margin-right: auto;\" \/><em>Royal ransomware leak site<\/em><\/p>\n<p>The <a href=\"https:\/\/www.malwarebytes.com\/blog\/business\/2022\/11\/initial-access-brokers-iabs-3-ways-they-break-into-corporate-networks-and-how-to-detect-them\">Initial Access Brokers<\/a> that cater to Royal are reported to gain initial access and source traffic by harvesting virtual private network (VPN) credentials from stealer logs. Other methods that are used to gain initial access to victim networks are:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.malwarebytes.com\/phishing\">Phishing<\/a>, by using emails containing malicious PDF documents, and malvertising<\/li>\n<li><a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2022\/03\/protect-rdp-access-ransomware-attacks\">Remote Desktop Protocol (RDP)<\/a>, by using compromised or brute forcing login credentials<\/li>\n<li><a href=\"https:\/\/attack.mitre.org\/versions\/v12\/techniques\/T1190\/\">Exploiting public-facing applications<\/a>. This could be through websites or other applications with internet accessible open sockets by exploiting known vulnerabilities or common security misconfigurations.<\/li>\n<\/ul>\n<p>For those interested, the CSA contains a wealth of Indicators of Compromise (IOCs) and techniques used by Royal to gain persistence and for lateral movement.<\/p>\n<h2><\/h2>\n<h2>How to avoid ransomware<\/h2>\n<ul>\n<li><strong>Block common forms of entry<\/strong>. Create a plan for <a href=\"https:\/\/www.malwarebytes.com\/business\/vulnerability-patch-management\">patching vulnerabilities<\/a> in internet-facing systems quickly; disable or <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2022\/03\/blunting-rdp-brute-force-attacks-with-rate-limiting\">harden remote access<\/a> like RDP and VPNs; use <a href=\"https:\/\/www.malwarebytes.com\/business\/edr\">endpoint security software<\/a> that can detect exploits and malware used to deliver ransomware.<\/li>\n<li><strong>Detect intrusions<\/strong>. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use <a href=\"https:\/\/www.malwarebytes.com\/business\/edr\">EDR<\/a> or <a href=\"https:\/\/www.malwarebytes.com\/business\/managed-detection-and-response\">MDR<\/a> to detect unusual activity before an attack occurs.<\/li>\n<li><strong>Stop malicious encryption<\/strong>. Deploy Endpoint Detection and Response software like <a href=\"https:\/\/www.malwarebytes.com\/business\/edr\">Malwarebytes EDR<\/a> that uses multiple different detection techniques to identify ransomware.<\/li>\n<li><strong>Create offsite, offline backups<\/strong>. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.<\/li>\n<li><strong>Write an incident response plan<\/strong>. The period after a ransomware attack can be chaotic. Make a plan that outlines how you&#8217;ll isolate an outbreak, communicate with stakeholders, and restore your systems.<\/li>\n<\/ul>\n<hr \/>\n<p dir=\"ltr\">Have a question or want to learn more about our cyberprotection? Get a free business trial below.<\/p>\n<p style=\"text-align: center;\"><span class=\"blue-cta-bttn\" style=\"background-color: #0d3ecc; line-height: 50px; padding: 0 20px;\"><a style=\"color: #fff;\" href=\"https:\/\/www.malwarebytes.com\/business\/contact-us\/\">GET STARTED<\/a><\/span><\/p>\n<p><a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/03\/warning-issued-over-royal-ransomware\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<table cellpadding=\"10\">\n<tr>\n<td valign=\"top\" align=\"left\">\n<p>Categories: <a href=\"https:\/\/www.malwarebytes.com\/blog\/category\/news\" rel=\"category tag\">News<\/a><\/p>\n<p>Categories: <a href=\"https:\/\/www.malwarebytes.com\/blog\/category\/ransomware\" rel=\"category tag\">Ransomware<\/a><\/p>\n<p>Tags: CISA<\/p>\n<p>Tags:  Royal<\/p>\n<p>Tags:  ransomware<\/p>\n<p>Tags:  phishing<\/p>\n<p>Tags:  RDP<\/p>\n<p>Tags:  public facing applications<\/p>\n<p>In a Cybersecurity Advisory, CISA and the FBI have shared information about Royal ransomware, which despite being rather new has made a real name for itself.<\/p>\n<table width=\"100%\">\n<tr>\n<td align=\"right\">\n<p><b>(<a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/03\/warning-issued-over-royal-ransomware\" title=\"Warning issued over Royal ransomware\">Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/03\/warning-issued-over-royal-ransomware\">Warning issued over Royal ransomware<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[23583,32,3924,28821,3765,18324,28820],"class_list":["post-21429","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-cisa","tag-news","tag-phishing","tag-public-facing-applications","tag-ransomware","tag-rdp","tag-royal"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21429","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=21429"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21429\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=21429"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=21429"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=21429"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}