A new ransomware operator active in the wild has been discovered, and although it is a new entrant, it is already demanding large ransom payments.
A new report from BleepingComputer in conjunction with cybersecurity intelligence firm AdvIntel has analyzed the group's activities, encryption and methodology.
The group is apparently made up of experienced ransomware actors from other operations. They joined forces in January this year and do not operate as a RaaS, but as a private group with subsidiaries. At first, the group used ciphers from other criminals, namely BlackCat, but soon turned to proprietary solutions. The first such encryptor is called Zeon.
It starts with a phishing
Earlier this month, the group switched from Zeon to Royal, using that name both in the ransom note and as a file extension for encrypted documents.
MO is nothing out of the ordinary: attackers would first send a phishing email and urge victims to call them back. During the call, the attackers convinced the victims to install remote access software and grant them access to the terminal (opens in a new tab). After that, the attackers would spread across the network, map and extract sensitive data, and encrypt any device found on the network.
Victims would then find a ransom note, README.TXT, in which they would obtain a Tor link where they could enter into negotiations with the attackers. Apparently, Royal is asking between €250,000 and €2 million for the decryption key. During the negotiations, the attackers decrypted some files to prove that their program worked and showed the list of files that they would publish on the Internet if the requests were not fulfilled.
So far, no victim has paid for the decryption key, so it is impossible to know how successful the group is. Royal's escape site has yet to be found.
Via: BleepingComputer (Opens in a new tab)