Having emerged in early 2022, the Royal ransomware gang has developed a unique approach to evading anti-ransomware defenses. It has recently gained momentum and added dozens of victims to its list.
In November, the Royal gang made headlines after it added a well-known British motor racing Silverstone Circuit to its victim list. The company said at the time it was investigating the gang's claims.
According to Dark Feed, a deep web monitoring feed, Royal has listed 49 victims on its data leak site.
"The group itself is suspected of consisting of former members of other ransomware groups, based on similarities researchers have observed between Royal ransomware and other ransomware operators," cybersecurity company Cybereason said in its newest blog post about the Royal ransomware gang.
According to researchers, it has a unique approach to avoiding defenses.
"Royal ransomware expands the concept of partial encryption, which means it has the ability to encrypt a pre-determined portion of the file content and base its partial encryption on a flexible percentage encryption, which makes detection more challenging for anti-ransomware solutions."
First discovered in early 2022, the Royal ransomware utilized third-party ransomware, namely BlackCat and Zeon. As of September 2022, it has been deploying its own ransomware.
According to Dark Feek, in November, Royal ransomware overtook Lockbit as the most prolific ransomware for the first time in more than a year.
The gang delivers malware in different ways, with phishing being one of them. Criminals spread ransomware using common e-crime threat loaders, reportedly Batloader and Qbot, and then download a Cobalt Strike payload to continue malicious operations within the infected environment.
The gang doesn't focus on a specific sector and hits various industries, from manufacturing to insurance companies. The majority of the group's victims are US-based.
"Multiple reports have noted resemblances between the Royal Ransomware group and Conti, including similarities between the ransom notes each group uses (particularly in Royal's early stages) and the use of callback phishing attacks. In our research, we have identified additional similarities, such as resemblances in the encryption process decision factors. However, these similarities are not yet clear enough to confirm a direct connection between the two groups," Cybereason said.
More from Cybernews:
Subscribe to our newsletter