New Warning About Royal Ransomware

Avatar photo
Bill Bowman

Airiam’s AirRescue™ incident response (IR) team recently helped several companies that fell victim to the Royal ransomware. We are seeing an up-tick in organizations falling victim to Royal and urge IT and business leaders to learn about the ransomware below, put steps in place to reduce the risk, and stay vigilant.

Video Discussion on Royal Ransomware

Airiam Senior IT Specialists Andrew Betts, Dan Baker, and Corey Burnett discuss their first-hand experience with the ransomware and give advice on how to stay safe in this video.

What is Royal Ransomware?

Royal refers to both the ransomware gang and the malware that encrypts systems. The group is an evolution of the Conti ransomware gang. Conti was a leading ransomware gang that reportedly broke up in 2022. Andrew says that Royal has devised new ways to make it difficult to recover organizations impacted.

According to the incident response experts, the ransomware often wipes backup data and formats the devices. Dan has observed that Royal will search for anything labeled “backup” or “archive” and then delete. This makes paying the ransomware gang pointless, as terabytes of data are already lost.

The group can even encrypt only specific parts of infrastructure and data, which are the most important. This technique maximizes the impact of the ransomware while limiting the gang’s time in the system. Dan says these targets are the top targets within an overall environment:

  1. Microsoft Active Directory (AD)
  2. Microsoft SQL Servers
  3. Backup files and servers

Corey continues saying that the Royal gang’s reconnaissance is on-point. They can discover what is most critical to a company and attack.

Ways to Reduce the Risk

An IT environment that is property configured and with the right cybersecurity software in place is cyber resilient. The AirRescue members give the following tips for reducing the risk of ransomware infection:

  • Implement and test a disaster recovery plan. This must be done before a cyber incident happens. Then if an incident does occur, it won’t be your first time responding and going through the steps.
  • Go beyond traditional antivirus. Invest in endpoint detection and response (EDR) and managed detection and response (MDR) software to stay protected from the newest threats.
  • Make sure you regularly patch your systems. Recent VMware vulnerabilities are a top method Royal gets in. Most of the systems the AirRescue team encounter on recovery engagements are running outdated operating systems.
  • Educate end-users about how to spot email phishing and do not click suspicious links. Corey says that 66% of ransomware attacks begin with phishing. Andrew says this issue is particularly prevalent in manufacturing companies.

The group agreed that Airiam has the tools to both stop ransomware attacks from happening and be resilient if an attack does succeed. AirCISO™ is Airiam’s extended detection and response (XDR) solution that can monitor and correlate system logs. AirGapd™ is Airiam’s solution for immutable cloud backups and disaster recovery. In a recent attack Dan responded to, Royal was not able to infect AirGapd and the company was restored.

To learn more about how to become cyber resilient and protected against Royal, send us a message.

New Resources In Your Inbox

Get our latest cybersecurity resources, content, tips and trends.

Other resources that might be of interest to you.

Why Should We Use Virtual San

Why Should I Use VMware Virtual San? I see a lot of questions asking, “Why should we use VMware VSAN?” First, let me give an overly simplistic explanation of what a Virtual SAN does. Virtual SAN uses hard drives or SSDs in group of servers to create a
Avatar photo
Anthony Lewis
>>Read More

Podcast: Staying Resilient During the Tech Industry Turmoil

Episode Summary Tech layoffs and banking failures have made the headlines recently. In this episode we cover how people in Silicon Valley and beyond can stay resilient in the face of stress. The episode first explores the human perspective of resilienc
Avatar photo
Bill Bowman
>>Read More

Podcast: The Basics of Cyber Resilience

 Episode Summary Cyber resilience is an evolution in mindset for the world of information security. It has been happening for years. Relying on firewalls, anti-virus, and other preventive manners at the expense of planning for what if can mean that a
Avatar photo
Bill Bowman
>>Read More