Royal ransomware targeted small to medium-sized businesses in the fourth quarter of 2022: 51.9% of its victims were small business, while 26.8% were medium-sized. Only 11.3% of its victims for this period were large enterprises.

Among its victims, the IT, finance, materials, healthcare, and food and staples industries were its top targets. Threat actors behind Royal focused on targets in North America during the last quarter of 2022, which accounted for three-quarters of its victims in that time period. Royal also targeted enterprises in Europe, Latin America, Asia Pacific, Africa, and the Middle East.

Technical Analysis

In our analysis, we found that Royal ransomware accepts the following command-line arguments:

Table 1. Royal ransomware arguments and description

The “-id” parameter, like Royal ransomware’s Win32 variant, requires 32-byte characters in order to proceed, and will be used as the Victim’s ID.

The “-path” argument from earlier Royal ransomware Win32 variants was removed in the Linux variant, but the file path argument is still required in order to execute the ransomware. It designates the first argument to be used as the file path to be encrypted. 

Inside the “stop_vm” function, Royal ransomware implements the following command to terminate VM processes using ESXCLI.

esxcli vm process kill –type=hard –world-id={ }

Royal ransomware then creates a specified number of threads depending on the number of processors of the infected machine. It determines the number of processors by using the sysconf(84) function, multiplying it by 8 to determine the number of threads to be created.  By doing so, it significantly increases the speed of the “thread_func” function where it contains the encryption routine of the ransomware.

For the “search_files” function, Royal ransomware uses the “opendir” function to open a specified directory. It then drops the ransom note “readme” to the directory and then calls the “readdir” function in a loop to read all entries inside the directory. It then checks the type of the entry if it’s a directory (d_type == 4) or a file (d_type == 8). If it’s a directory, it recursively calls the “search_files” function on the entry. 

If the entry is a regular file, it checks the filename and avoids encrypting the following files with the following names/extensions:

• .royal_u
• .royal_w
• .sf
• .v00
• .b00
• royal_log_
• readme

One of the excluded extensions, “.royal_w”, is the latest appended extension of the Royal ransomware. We assume that the “royal_w” and “royal_u” are used by threat actors to differentiate encrypted files by their Windows variant (royal_w) and Linux variants (royal_u), where u possibly stands for Unix.

As in Royal ransomware’s Win32 variant, it also uses OpenSSL’s Advanced Encryption Standard (AES) for its encryption.

Royal ransomware threat actors also implement intermittent encryption. Using the -ep parameter, it accepts integers from 0 to 100; if the integer exceeds 100 or is below or equal to 0, it sets the value to 50 and will be used as a parameter for intermittent encryption. 

Royal ransomware then generates the AES key and IV using the following function, then encrypts it using RSA encryption. The encrypted AES and IV key will also be appended to each of the encrypted files.

If the RSA encryption is successful, it then rounds up the file to multiples of 16, which is required in AES encryption.  

For the rounded-up files, Royal ransomware then checks if the size is less than or equal to 5,245,000 bytes or if the value set on -ep is 100. If one of the conditions is met, it will encrypt the whole file. For files greater than 5,245,000 bytes, the encryption will take place per certain calculated blocks where it will encrypt the first N bytes, then skip the next N bytes, and repeats the process.

The calculation of N bytes is as follows: 

*where X is the value set to -ep

If the calculated N is greater than 1,024,000, it will encrypt 1,024,000 block instead.

The intermittent encryption technique on the Linux variant shares great similarity to the encryption done by Royal ransomware’s Win32 variant, which aims to make the encryption faster. 

Lastly, Royal ransomware appends the “royal_u” file extension for the encrypted files and drops its ransom note into the directory.

Conclusion

This new variant of the Royal ransomware expands their attacks to target ESXi servers, causing great damage to their victims. As the threat actors behind Royal are believed to be seasoned cybercriminals from Conti, they are equipped with an arsenal of knowledge of the ransomware scene which can prove to be a great risk to enterprises as we expect to see more activity from the ransomware group in the future. Royal ransomware can be expected to develop new variants for wider impact.

To protect systems from ransomware attacks, we recommend that both individual users and organizations implement best practices such as applying data protection, backup, and recovery measures to secure data from possible encryption or erasure. Conducting regular vulnerability assessments and patching systems in a timely manner can also minimize the damage dealt by ransomware that abuses exploits.

We advise users and organizations to update their systems with the latest patches and apply multi-layered defense mechanisms. End users and enterprises alike can mitigate the risk of infection from new threats like Royal ransomware by following these security best practices: 

• Enable multifactor authentication (MFA) to prevent attackers from performing lateral movement inside a network.
• Adhere to the 3-2-1 rule when backing up important files. This involves creating three backup copies on two different file formats, with one of the copies stored in a separate location. 
• Patch and update systems regularly. It’s important to keep operating systems and applications up to date and maintain patch management protocols that can deter malicious actors from exploiting any software vulnerabilities.

Indicators of Compromise