The Royal ransomware group emerged in early 2022 and has gained momentum since the middle of the year. Its ransomware, which the group deploys through different TTPs, has impacted multiple organizations across the globe. The group itself is suspected of consisting of former members of other ransomware groups, based on similarities researchers have observed between Royal ransomware and other ransomware operators.

The group, which primarily targets English-speaking countries, has been active since April 14 and primarily uses email campaigns to distribute its malware. Interestingly, while the group’s email campaigns have remained relatively consistent over time, the methods it employs to gain access to victims’ systems have varied.

Royal Ransomware TTPs

The Royal ransomware group deploys its malware through email phishing campaigns that aim to convince users to execute malicious Microsoft Office documents attached in emails. There are three stages to these campaigns:

Stage 1 - Reconnaissance: The attackers send out emails that ask recipients to review a document that they did not download themselves. Due to the sender, subject, and attachment text, the email appears legitimate and many users open the attached document. The email may look like this:

The email’s sender is a legitimate vendor monitored by Royal researchers – an American-based company whose name was redacted by researchers. The subject line also has nothing to do with the attachment in question and instead mentions business analysis for new product distribution.

The attachment itself appears to be legitimate, but it is actually malicious. The malicious Microsoft Word document that it contains uses a program called “downloads.exe” to run an initial executable payload. This executable then downloads and runs a secondary executable which hides its location on the system and also drops Royal’s malware file into the current directory of the infected system.

Stage 2 - Main C&C: On executing the initial payload, it downloads a malicious library that contains a second executable that runs Royal ransomware’s main process. This second executable first creates a “postinstall” script that runs an additional process command, which then executes its dropper file on the system. This dropper file drops the malware executable onto the system, which is then executed by the initial executable in Stage 1.

Stage 3 – Message Delivery: The attackers not only use a modified Microsoft Word document to deliver their malware, but also hide malicious code in documents attached to any email sent on third-party platforms. For example, a case such as this makes use of a malicious PDF file attached to an email campaign:

The attackers used an obfuscated version of “TinyFtp” – which has been detected on multiple occasions since 2016 and is considered a remote exploitation tool in other ransomware campaigns – to hide malicious code within these PDF files.

‍

Source: Royal Rumble: Analysis of Royal Ransomware - AlienVault - Open Threat Exchange