A relatively new ransomware threat actor is making big moves and turning heads. The presence of the new threat actor was first detected in early 2022 and Royal has been active ever since.
What sets Royal apart from most ransomware operations is that this threat actor does not rent its tools and infrastructure to affiliates, but instead works privately. Additionally, Royal looks for high-risk hits, with ransoms ranging from a quarter of a million to around two million dollars with its Royal ransomware.
To lure victims, the Royal group uses callback phishing attacks, posing as food delivery and software providers, urging the potential victim to renew these so-called subscriptions.
Phishing emails contain phone numbers that victims are supposed to call to unsubscribe and avoid charges. When the victim calls the number, threat actors posing as service operators try to convince them to install remote access software, they require initial access to networks.
Upon gaining access to the corporate network, threat actors manually perform stages of the malicious operation. First,
they implement the Cobalt Strike tool to collect credentials, move laterally through the Windows domain, steal data and, finally, encrypt the victim’s devices, so it would be interesting to take security measures, especially these companies that handle large amounts of information and money.