Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks

From September to December, we detected multiple attacks from the Royal ransomware group. In this blog entry, we discuss findings from our investigation of this ransomware and the tools that Royal ransomware actors used to carry out their attacks.

Royal ransomware may have been first observed by researchers around September 2022, but it has seasoned cybercriminals behind it: The threat actors running this ransomware — who used to be a part of Conti Team One, according to a mind map shared by Vitali Kremez — initially dubbed it Zeon ransomware, until they rebranded it to Royal ransomware. From September to December this year, we have detected multiple attacks from Royal ransomware, with the US and Brazil being the most targeted countries (Figure 1). This blog entry discusses in depth the findings from our investigation of samples of this new piece of ransomware, as well as the tools that Royal ransomware actors used to carry out their attacks.

Figure 1. Percentage of Royal ransomware attacks by country

Figure 1. Percentage of Royal ransomware attacks by country

Infection Routine

External reports mention that the Royal ransomware group uses callback phishing as a means of delivering their ransomware to victims (Figure 2). These phishing attacks contain a number that leads to a service hired by the threat actors. When contacted, they will use social engineering tactics to lure victims into installing remote access software.

Figure 2. Royal ransomware’s attack flow

Figure 2. Royal ransomware’s attack flow

Installation

Our investigation found that the ransomware actors used a compiled remote desktop malware, which was used to drop the tools they needed to infiltrate the victim’s system: they used QakBot and Cobalt Strike for lateral movement, while NetScan was used to look for any remote systems connected to the network. Once they infiltrated the system, the ransomware actors used tools such as PCHunter, PowerTool, GMER, and Process Hacker to disable any security-related services running in the system. They then exfiltrate the victim’s data via the RClone tool. We also observed an instance in which they used AdFind to look for active directories, then executed RDPEnable on the infected machine.

Payload

Once everything has been set up, the ransomware actors used PsEXEC to execute the malware. The PsEXEC commands contain the ID of the victim, along with any argument that the actors applied to the ransomware. There were also instances of the malware actors using PsEXEC to enable the remote desktop protocol (RDP) of a target system before executing the ransomware.

Analysis

In part of our analysis, we used a ransomware sample with the detection name Ransom.Win64.YORAL.SMYXCJCT. As shown in Table 1, Figure 3, and Figure 4, Royal ransomware requires an argument of “-id {32-byte characters}” to execute on a victim’s machine. It also accepts “-path” to specify a target file for encryption and “-ep {value}” to calculate the partial file encryption of large files.

In some earlier samples of the ransomware, the binary wouldn’t parse all the arguments due to a bug in the code. For example, “-path” won’t be processed if provided after the “-id” argument; if provided before, there will be no “-id” argument, so it will not proceed.

Argument Description
path {target path} If provided, will only encrypt the contents of the target path
id {32-byte characters} Will be used as the victim’s ID, which will be appended on the TOR link found in the dropped ransom note. The process exists if not provided or if provided characters is not 32 bytes long
ep This argument is for the full or partial encryption of file routine

Table 1. Arguments accepted by the Royal ransomware binary

Figure 3. Arguments accepted by the ransomware binary

Figure 3. Arguments accepted by the ransomware binary

Figure 4. Checking if length of provided “-id” is 32 bytes

Figure 4. Checking if length of provided “-id” is 32 bytes

It enumerates files and directories for encryption using FindFirstFileW, FindNextFileW, and FindClose APIs (Figure 5).

Figure 5. File enumeration

Figure 5. File enumeration

The ransomware looks for available network shares for network encryption by listing accessible local IPs, then uses NetShareEnum and attempts to connect on ADMIN$ and IPC$ shares (Figure 6).

Figure 6. Looking for accessible local IPs then trying to connect to ADMIN$ and IPC$

Figure 6. Looking for accessible local IPs then trying to connect to ADMIN$ and IPC$

It checks for the number of processors in the infected system and uses it as a base for the concurrent running threads for file encryption, as shown in Figure 7. By doing so, Royal ransomware significantly increases the speed of its file encryption process. 

Figure 7. Checking the number of processors

Figure 7. Checking the number of processors

Royal ransomware inhibits system recovery by deleting shadow copies (Figure 8) through the following command:

C:WindowsSystem32vssadmin.exe delete shadows /all /quiet

Figure 8. Using vssadmin.exe to delete shadow copies

Figure 8. Using vssadmin.exe to delete shadow copies

The ransomware encrypts files using OpenSSL’s Advanced Encryption Standard (AES). It will encrypt the AES key and IV with RSA encryption using the embedded RSA public key (Figure 9). The RSA-encrypted AES key and IV will be appended on each encrypted file (Figure 10).

Figure 9. An RSA public key

Figure 9. An RSA public key

Figure 10. Generation of AES Key and IV

Figure 10. Generation of AES Key and IV

The malicious actors behind Royal ransomware use a form of intermittent encryption tactic to speed their encryption process: the ransomware first checks if the file size is divisible by 16, which is a requirement for AES (Figure 11). If not, it rounds up the total size until it is divisible by 16. For example, if the size is 18, it will append zero bytes to the file until it has a size of 32, which is now divisible by 16. Aside from appending the needed zero bytes, it also appends an extra 0x210 Zero bytes as a placeholder for the appended RSA encrypted key.

Figure 11. Royal ransomware checking if file size is divisible by 16

Figure 11. Royal ransomware checking if file size is divisible by 16

For a file size that has been rounded-up, Royal ransomware will check if the size is less than or equal to 5,245,000 bytes or if the value is set to 100 (0x64), as shown in Figure 12. If the file size is within these limits, it will encrypt the entire file. For files greater than 5,245,000 bytes, file encryption will take place per certain calculated blocks: for example, it will encrypt first N bytes, then skip the next N bytes, then encrypt the next N bytes, and so on.

Figure 12. Encryption process and calculation

Figure 12. Encryption process and calculation

Its calculation of N bytes is as follows:

X / 10* (Original file size) & 0xFFFFFFF0

  • where X is the value set before encryption
  • X is either 0x32 (50) or 0x64 (100)
  • This value will also be used as indicator if full encryption or partial encryption will be performed on the file

For example, with a file with a file size equal to 5,245,000:

N = 50/10 * (5245000 / 100) & 0xFFFFFFF0 = 0x40060 (262240)

If the calculated N is greater than 1,024,000, it will simply encrypt per 1,024,000 block instead (Figure 13).

Figure 13. Condition if N is greater than 1,024,000

Figure 13. Condition if N is greater than 1,024,000

The encrypted file’s structure would then be as follows (Table 2):

Description Size
Encrypted File Contents Rounded-up file size divisible by 16
RSA Encrypted Key 0x200 bytes
Size of encrypted file / offset address of RSA Encrypted Key 8 bytes
X value, 0x64 or provided value (usually 0x32), indicator if full or partial encryption 8 bytes

Table 2. An encrypted file’s structure

The ransomware then renames the encrypted files by appending them with the “.royal” extension, as demonstrated in Figures 14 and 15.


Figure 14. Royal ransomware appending “.royal” to encrypted files

Figure 14. Royal ransomware appending “.royal” to encrypted files

Figure 15. Encrypted files appended with the “.royal” extension

Figure 15. Encrypted files appended with the “.royal” extension

For each directory it traverses, Royal ransomware drops a text file named “README.TXT” that contains the ransom note (Figure 16), as well as an advertisement for its “pentesting services” that the ransomware actors will allegedly provide once the ransom has been paid (Figure 17).

Figure 16. Creation of the “README.TXT” file

Figure 16. Creation of the “README.TXT” file

Figure 17. Contents of "README.TXT" with the sample ID we used appended on the TOR link.

Figure 17. Contents of “README.TXT” with the sample ID we used appended on the TOR link.

Security Recommendations

Our investigation into Royal ransomware attacks shows how the group employs a mixture of both old and new techniques, which indicates that it is no newcomer to the ransomware scene. Their use of callback phishing to lure victims into installing remote desktop malware allows them to infiltrate the victim’s machine with relative ease. Their intermittent encryption tactics also hasten their encryption of a victim’s files, with the added benefit of evading detection measures that focus on looking for heavy file IO operations. Despite their “late” entry to the scene in September, the group already has ransomed multiple companies, and we expect them to be more active in the upcoming months. More details on Royal ransomware’s other capabilities can be found in Trend Micro’s Threat Encyclopedia.

We highly advise users and organizations to update their systems with the latest patches and apply multi-layered defense mechanisms. The emergence and success of the Royal ransomware gang underscore how ransomware actors are finding more innovative ways to repurposing existing tools and tactics as a means of augmenting their attacks. End users and enterprises alike can mitigate the risk of infection from new threats like Royal ransomware by following these security best practices: 

  • Enable multifactor authentication (MFA) to prevent attackers from performing lateral movement inside a network.
  • Adhere to the 3-2-1 rule when backing up important files. This involves creating three backup copies on two different file formats, with one of the copies stored in a separate location. 
  • Patch and update systems regularly. It’s important to keep operating systems and applications up to date and maintain patch management protocols that can deter malicious actors from exploiting any software vulnerabilities.

Companies can also benefit from the use of multilayered detection and response solutions such as Trend Micro Vision One™, which provides powerful XDR capabilities that collect and automatically correlate data across multiple security layers — email, endpoints, servers, cloud workloads, and networks — to prevent attacks via automated protection, while also ensuring that no significant incidents go unnoticed. Trend Micro Apex One™ also provides next-level automated threat detection and response to protect endpoints against advanced issues, like human-operated ransomware. 

Indicators of Compromise (IOCs)

SHA-256 Detection Description
c0063d24f3de4e7b89abf9b690a3d264efc6ab7a626f73ad9f42d6bffe52bce7 Trojan.Win64.COBALT.BE CobaltStrike
fef79160f0ce9aa9dec15c914f2c2b40b2ae1ec2b0e65e414545dbc994afd73d Trojan.Win64.COBALT.BE CobaltStrike
3434271f2038afaddad4caad8000e390b3573b2b53e02841653a4ee0dfd73674 Trojan.Win64.COBALT.BE CobaltStrike
0ac0b3758359855e96367b6c83b0aabdc6cfb59b4caa1cec48632defd21cdf3c Trojan.Win64.COBALT.BE CobaltStrike
451cef0085dc5b474cc5c68af079d0367d7d2ec73ae2210788beb5297e1fbd6d Trojan.Win64.COBALT.BE CobaltStrike
e710e902507ad63e1d2ce1220212b1a751b70504259457234103bb22845a9424 Trojan.Win32.QAKBOT.DRSV QakBot
2718dcbb503b6334078daf4af61e17a547fb80c9b811c26cfc9d32f5ce63a826 Trojan.Win32.QAKBOT.DRTE QakBot
abf937fb2f162d1dbbe76c7386c9892db5191e17de586f0a5c49819cd68b5e0f Trojan.Win32.DEYMA.AM Compiled Remote Desktop Malware
bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4 PUA.Win64.ProcHack.AC Process Hacker
572d88c419c6ae75aeb784ceab327d040cb589903d6285bbffa77338111af14b HackTool.Win32.NetScan.AG NetScan
094d1476331d6f693f1d546b53f1c1a42863e6cde014e2ed655f3cbe63e5ecde HackTool.Win32.ToolPow.SM PowerTool
e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173 PUA.Win32.GMER.YABBI GMER
d1aa0ceb01cca76a88f9ee0c5817d24e7a15ad40768430373ae3009a619e2691 PUA.Win64.PCHunter.B PCHunter
bb48f5c915ab7bbbbbf092a20169aaf3ced46b492ed69550854a55254ce10572 Backdoor.Win32.SWRORT.YXCJ5Z Malware Component
e263b9d5467bf724000966da2acfe06520a464c566e4b3d9833213f850f3f1f2 HackTool.Win32.Adfind.THLOFBB AdFind
ac49c114ef137cc198786ad8daefa9cfcc01f0c0a827b0e2b927a7edd0fca8b0 HackTool.BAT.RDPEnable.A RDPEnable
2598e8adb87976abe48f0eba4bbb9a7cb69439e0c133b21aee3845dfccf3fb8f Ransom.Win64.YORAL.SMYXCJCT Royal Ransomware Binary
cdd7814074872fc35d18740cdd4e8a5fefcfd6b457fde2920383fd5b11903fc5 Ransom_Royal.R06CC0DK222 Royal Ransomware Binary
a61b71ee73ea8c0f332591e361adeda04705c65b5f4d549066677ec4e71212f7 Ransom.Win32.YORAL.YXCKB Royal Ransomware Binary
56e8bd8b0c5bfb87956f7915bc47a9ecf5d338b804cee1dccacf53400d602be3 Ransom.Win32.YORAL.YECJYT Royal Ransomware Binary

Source: https://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html