Cyber Security Threat Summary:
“Royal ransomware is one of the most notable ransomware families of 2022, it made the headlines in early May 2023 with the attack against the IT systems in Dallas, Texas. The human-operated Royal ransomware first appeared on the threat landscape in September 2022, it has demanded ransoms up to millions of dollars” (Security Affairs, 2023).

Royal ransomware is written in C++ and is used to infect Windows systems. It encrypts network shares found on both the local network and local drives using AES encryption. Royal is typically in the top five most active ransomware groups that we track. In May, the FBI and CISA released a joint Cybersecurity Advisory (CSA) which provided detailed tactics, techniques, and procedures (TTPs) and indicators of compromise associated with the group.

Royal ransomware has notoriously gone after various critical infrastructure sectors including organizations in manufacturing, communications, healthcare and education. Multiple cybersecurity experts have spotted a new ransomware family called BlackSuit, that shares various links to the Royal ransomware.

Security Officer Comments:
Trend Micro released details on a Windows 32-bit sample. The BlackSuit ransomware appends encrypted files with the .blacksuit extension, drops a ransom note into each directory containing the encrypted files, and adds a reference to a TOR chat site with a unique ID for each victim.

Trend Micro researchers compared an x64 VMware ESXi version of Blacksuit targeting Linux machines with the Royal ransomware and discovered an extremely high degree of similarity between the two families. “After comparing both samples of the Royal and BlackSuit ransomware, it became apparent to us that they have an extremely high degree of similarity to each other.” reads the analysis published by TrendMicro. “In fact, they’re nearly identical, with 98% similarities in functions, 99.5% similarities in blocks, and 98.9% similarities in jumps based on BinDiff, a comparison tool for binary files. The comparison revealed 93.2% similarity in functions, 99.3% in basic blocks, and 98.4% in jumps based on BinDiff” (Trend Micro, 2023).

According to the researchers, BlackSuit uses different argument strings compared to Royal. The similarities between the two likely indicate one of the following: BlackSuit is a new variant developed by the same authors, it is a copycat using similar code, or an affiliate of Royal has implemented modification to the original family.

“One possibility for BlackSuit’s creation is that, since the threat actors behind Royal (and Conti before it) are one of the most active ransomware groups in operation today, this may have led to increased attention from other cybercriminals, who were then inspired to develop a similar ransomware in BlackSuit. Another option is that BlackSuit emerged from a splinter group within the original Royal ransomware gang.” (Trend Micro, 2023).

Suggested Correction(s):
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.

Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk- based assessment strategy to drive your patch management program.

Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?

Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.

Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.

Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained how to avoid and spot phishing emails. Multi Factor authentication can help prevent malicious access to sensitive services.

Link(s):
https://www.trendmicro.com/en_us/re...cksuit-ransomwares-similarities-to-royal.html
https://securityaffairs.com/147002/cyber-crime/blacksuit-similar-royal-ransomware.html
PDF: https://www.cisa.gov/sites/default/files/2023-03/aa23-061a-stopransomware-royal-ransomware_0.pdf