At The Identity Organisation, we're here to help!

    Or drop us a mail!

    Your privacy is important to us, and we want to communicate with you in a way which has your consent and which is in line with UK Law on data protection. As a result of a change in UK law on 25th May 2018, by providing us with your personal details you consent to us processing your data in line with current GDPR requirements.

    Here is where you can review our Privacy & GDPR Statement

    To remove consent at any time, please e-mail info@tidorg.com with the word "unsubscribe" as the subject.

    +44 (0) 1628 308038 info@tidorg.com

    Coping With “Double-Extortion” Royal Ransomware

    The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI last week issued a joint advisory on Royal ransomware. Royal is noteworthy for its ability to disable various anti-virus tools in the course of exfiltrating data in its double-extortion attacks. 

    Royal’s operators have also been marked by their willingness to target “numerous critical infrastructure sectors including, but not limited to, manufacturing, communications, healthcare and public healthcare (HPH), and education.” The gang has been known to demand ransom payments of between $1 million and $10 million. The advisory includes a comprehensive overview of Royals tactics, techniques, and procedures; of its indicators of compromise; and of mitigations that organizations can deploy to help them weather an attack with Royal ransomware.

    Royal captures the majority of its victims through phishing. “According to third-party reporting,” CISA and the FBI say, “Royal actors most commonly (in 66.7% of incidents) gain initial access to victim networks via successful phishing emails.” The malicious payload is most often carried inside PDF files that arrive as an attachment to those phishing emails. The ransomware has also been observed to arrive in the form of malvertising.

    Once the threat actors have obtained access to the victims’ network, they establish persistence and move laterally across those networks to get to the data they find valuable. “Royal actors exfiltrate data from victim networks by repurposing legitimate cyber pentesting tools, such as Cobalt Strike, and malware tools and derivatives, such as Ursnif/Gozi, for data aggregation and exfiltration. According to third-party reporting, Royal actors’ first hop in exfiltration and other operations is usually a U.S. IP address.”

    Once they’ve exfiltrated what they want, they begin the process of encrypting the victims’ files, and once the files are encrypted, the gang delivers its ransom demand. “FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office, or CISA at https://www.cisa.gov/report.”

    The advisory contains many valuable suggestions for policies, practices, and technical defenses that can help armor any organization against ransomware, and they’re well worth your time to review. It’s also worth pointing out that an administrator or a user whose mind is prepared will also prove an invaluable shield, and new school security awareness training can help prepare those minds.

    CISA and the FBI have the story.

    Find out which of your users’ emails are exposed before bad actors do.

    Many of the email addresses and identities of your organization are exposed on the internet and easy to find for cybercriminals. With that email attack surface, they can launch social engineering, spear phishing and ransomware attacks on your organization. KnowBe4’s Email Exposure Check Pro (EEC) identifies the at-risk users in your organization by crawling business social media information and now thousands of breach databases.

    Here’s how it works:

    • The first stage does deep web searches to find any publicly available organizational data
    • The second stage finds any users that have had their account information exposed in any of several thousand breaches
    • You will get a summary report PDF as well as a link to the full detailed report
    • Results in minutes!
    Get Your Free Report!

    PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/email-exposure-check-pro-partner?partnerid=001a000001lWEoJAAW

    Sign Up to the TIO Intel Alerts!

    Back To Top