Airiam’s AirRescue™ incident response (IR) team recently helped several companies that fell victim to the Royal ransomware. We are seeing an up-tick in organizations falling victim to Royal and urge IT and business leaders to learn about the ransomware below, put steps in place to reduce the risk, and stay vigilant.
Video Discussion on Royal Ransomware
Airiam Senior IT Specialists Andrew Betts, Dan Baker, and Corey Burnett discuss their first-hand experience with the ransomware and give advice on how to stay safe in this video.
What is Royal Ransomware?
Royal refers to both the ransomware gang and the malware that encrypts systems. The group is an evolution of the Conti ransomware gang. Conti was a leading ransomware gang that reportedly broke up in 2022. Andrew says that Royal has devised new ways to make it difficult to recover organizations impacted.
According to the incident response experts, the ransomware often wipes backup data and formats the devices. Dan has observed that Royal will search for anything labeled “backup” or “archive” and then delete. This makes paying the ransomware gang pointless, as terabytes of data are already lost.
The group can even encrypt only specific parts of infrastructure and data, which are the most important. This technique maximizes the impact of the ransomware while limiting the gang’s time in the system. Dan says these targets are the top targets within an overall environment:
- Microsoft Active Directory (AD)
- Microsoft SQL Servers
- Backup files and servers
Corey continues saying that the Royal gang’s reconnaissance is on-point. They can discover what is most critical to a company and attack.
Ways to Reduce the Risk
An IT environment that is property configured and with the right cybersecurity software in place is cyber resilient. The AirRescue members give the following tips for reducing the risk of ransomware infection:
- Implement and test a disaster recovery plan. This must be done before a cyber incident happens. Then if an incident does occur, it won’t be your first time responding and going through the steps.
- Go beyond traditional antivirus. Invest in endpoint detection and response (EDR) and managed detection and response (MDR) software to stay protected from the newest threats.
- Make sure you regularly patch your systems. Recent VMware vulnerabilities are a top method Royal gets in. Most of the systems the AirRescue team encounter on recovery engagements are running outdated operating systems.
- Educate end-users about how to spot email phishing and do not click suspicious links. Corey says that 66% of ransomware attacks begin with phishing. Andrew says this issue is particularly prevalent in manufacturing companies.
The group agreed that Airiam has the tools to both stop ransomware attacks from happening and be resilient if an attack does succeed. AirCISO™ is Airiam’s extended detection and response (XDR) solution that can monitor and correlate system logs. AirGapd™ is Airiam’s solution for immutable cloud backups and disaster recovery. In a recent attack Dan responded to, Royal was not able to infect AirGapd and the company was restored.
To learn more about how to become cyber resilient and protected against Royal, send us a message.
