New Warning About Royal Ransomware

Avatar photo
Bill Bowman

Airiam’s AirRescue™ incident response (IR) team recently helped several companies that fell victim to the Royal ransomware. We are seeing an up-tick in organizations falling victim to Royal and urge IT and business leaders to learn about the ransomware below, put steps in place to reduce the risk, and stay vigilant.

Video Discussion on Royal Ransomware

Airiam Senior IT Specialists Andrew Betts, Dan Baker, and Corey Burnett discuss their first-hand experience with the ransomware and give advice on how to stay safe in this video.

What is Royal Ransomware?

Royal refers to both the ransomware gang and the malware that encrypts systems. The group is an evolution of the Conti ransomware gang. Conti was a leading ransomware gang that reportedly broke up in 2022. Andrew says that Royal has devised new ways to make it difficult to recover organizations impacted.

According to the incident response experts, the ransomware often wipes backup data and formats the devices. Dan has observed that Royal will search for anything labeled “backup” or “archive” and then delete. This makes paying the ransomware gang pointless, as terabytes of data are already lost.

The group can even encrypt only specific parts of infrastructure and data, which are the most important. This technique maximizes the impact of the ransomware while limiting the gang’s time in the system. Dan says these targets are the top targets within an overall environment:

  1. Microsoft Active Directory (AD)
  2. Microsoft SQL Servers
  3. Backup files and servers

Corey continues saying that the Royal gang’s reconnaissance is on-point. They can discover what is most critical to a company and attack.

Ways to Reduce the Risk

An IT environment that is property configured and with the right cybersecurity software in place is cyber resilient. The AirRescue members give the following tips for reducing the risk of ransomware infection:

  • Implement and test a disaster recovery plan. This must be done before a cyber incident happens. Then if an incident does occur, it won’t be your first time responding and going through the steps.
  • Go beyond traditional antivirus. Invest in endpoint detection and response (EDR) and managed detection and response (MDR) software to stay protected from the newest threats.
  • Make sure you regularly patch your systems. Recent VMware vulnerabilities are a top method Royal gets in. Most of the systems the AirRescue team encounter on recovery engagements are running outdated operating systems.
  • Educate end-users about how to spot email phishing and do not click suspicious links. Corey says that 66% of ransomware attacks begin with phishing. Andrew says this issue is particularly prevalent in manufacturing companies.

The group agreed that Airiam has the tools to both stop ransomware attacks from happening and be resilient if an attack does succeed. AirCISO™ is Airiam’s extended detection and response (XDR) solution that can monitor and correlate system logs. AirGapd™ is Airiam’s solution for immutable cloud backups and disaster recovery. In a recent attack Dan responded to, Royal was not able to infect AirGapd and the company was restored.

To learn more about how to become cyber resilient and protected against Royal, send us a message.

New Resources In Your Inbox

Get our latest cybersecurity resources, content, tips and trends.

Other resources that might be of interest to you.

How to Set Advanced Document Properties in Word

Microsoft Word allows a user to store several types of advanced properties related to your document. Some of these properties are displayed on the “Info” screen and you can change these properties. Microsoft Office 2013 was used in this demonstration.
Jess Watters
Jessica Watters
>>Read More

Alert: Issue with the new Apple iOS 11 and Office 365 email

If you have upgraded your iPhone/iPad to the new iOS 11, then you may be experiencing problems receiving email on your device! Microsoft announced this weekend that there is an issue with synchronizing email between Office 365 and Apple devices running
Jess Watters
Jessica Watters
>>Read More

Mastering the Five-Minute Cybersecurity Presentation

Delivering a concise and impactful five-minute cybersecurity presentation can be challenging, especially when addressing a large group of potential clients or partners. However, with a clear structure, focused content, and engaging delivery, you can ca
Vivian Lee
>>Read More