The FBI and CISA have issued a public warning about the Royal Ransomware group after a severe string of extortions.
Since September 2022, over 350 people have been targeted by the group — money stolen through extortion has surpassed $275 million. The amount extorted from individuals ranges from $1 million to $11 million.
The hacker group obtains sensitive data, mostly through phishing scams, and then runs a double-extortion scam. This scam sees the hacker publish the victim’s data to hacking forums if they won’t pay for the extortion. After the information has been posted, other hacking groups are free to use it however they see fit.
Some hacking groups are known to refuse to give the information back after paying exorbitant amounts, so victims are typically encouraged not to pay the hacker.
“FBI and CISA believe this variant, which uses its own custom-made file encryption program, evolved from earlier iterations that used “Zeon” as a loader,” says the FBI’s report. “After gaining access to victims’ networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems.”
Instead of the group’s first note being payment instructions or a specific request, the note gives them directions to a .onion URL that can be reached using the Tor browser. After the victim is on their website, they deliver their requests.
The end result is that victims are helpless as their data is encrypted after falling victim to the phishing scam.
Agencies affected are “including, but not limited to, Manufacturing, Communications, Healthcare and Public Healthcare (HPH), and Education.”
Royal Ransomware isn’t the only hacking group to employ these tactics. As the FBI notes, other groups like Blacksuit Ransomware share many characteristics with Royal.
Phishing scams are the most popular vector for hackers — it’s important to be careful when opening links from unknown sources, downloading email attachments, or visiting strange websites.