Cybersecurity platform provider Cybereason Inc. today released a new report on the activities of the Royal ransomware group a week after the group was reported to be targeting the healthcare industry in the U.S.

After emerging in early 2022, Royal gained momentum through the middle of the year, deploying various tactics, techniques and procedures to attack multiple global organizations. The group’s members are suspected of being former members of other ransomware groups based on similarities between Royal and other ransomware operators.

The group uses a unique approach to evade anti-ransomware defense, expanding on the concept of partial encryption. Royal ransomware attacks have involved encrypting a pre-determined portion of file content with flexible percentage encryption, making detection more challenging for anti-ransomware solutions.

Royal ransomware employs multiple threads to accelerate the encryption process and notably, operates by itself. Unlike other ransomware operators, Royal does not offer ransomware-as-a-service or target a specific sector or country.

Cybereason researchers assess the threat level from Royal to be high, given the rapid increase in attacks coming from this group over the past 60 to 90 days. Emphasizing the risk, Royal was reported to be the most prolific form of ransomware in November, surpassing the better-known and infamous LockBit ransomware gang.

Royal stands out in using different methods of deployment. One approach is through phishing campaigns with the use of threat loaders such as BTLOADER and Qbot that then download a Cobalt Strike payload for further malicious operations.

Since September, Royal has gained momentum and has added dozens of victims to its website. Although most victims are in the U.S., victims can be found globally, including the Silverstone racing circuit in the U.K.

Royal may have a connection to the Conti ransomware group, although that’s not confirmed. There are similarities between the two, however, including ransom notes and the use of callback phishing attacks.

The researchers recommended that Cybereason users enable anti-ransomware protection, enable application control to block the execution of malicious files, enable variant payload prevention and hunt proactively for any machines that could be potentially infected with Royal ransomware.

Photo: TheRichic/Wikimedia Commons