A brand new ransomware operator has been discovered active in the wild, and even though it’s a new entrant, it’s already demanding major ransom payments.
A new report from BleepingComputer together with cybersecurity intelligence firm AdvIntel has analyzed the group’s activities, its encryptor, and its methodology.
Apparently, the group is made up of experienced ransomware actors that came from other operations. They joined forces in January this year, and don’t work as a RaaS, but rather as a private group with affiliates. At first, the group used other criminals’ encryptors, namely BlackCat, but soon pivoted to proprietary solutions. The first such encryptor is called Zeon.
Starts with a phish
Earlier this month, the group rebranded from Zeon to Royal, using that name both in the ransom note, and as the file extension for encrypted documents.
The MO is nothing out of the ordinary: the attackers would first send a phishing email and urging the victims to call them back. On the call, the attackers would convince the victims to install remote access software and grant the attackers access to the endpoint (opens in new tab). After that, the attackers would spread out across the network, map out and exfiltrate sensitive data, and encrypt all devices found on the network.
The victims would then find a ransom note, README.TXT, in which they’d get a Tor link where they can engage in negotiations with the attackers. Allegedly, Royal asks anywhere between $250,000 and $2 million for the decryption key. During the negotiations, the attackers would decrypt a few files to show their program works, and show the list of files they’d release to the internet if the demands aren’t met.
So far there are no reports of any victims actually paying for the decryption key, so it is impossible to know just how successful the group is. Royal’s leak site is yet to be found.
Via: BleepingComputer (opens in new tab)