Ransomware is still top of mind for many of our customers, and with good reason. Ransomware attacks resurged early this year after appearing to decrease somewhat at the end of last year. New gangs joined the ransomware ranks and existing players upped their game.

According to an analysis of attacks from April 2022 to March 2023, ransomware attacks largely targeted manufacturing (19.5%); professional, scientific and technical services (15.3%); and educational services (6.1%), with U.S. organizations accounting for 43% of the victims, the U.K (5.7%) and Germany (4.4%). The groups favor companies with annual revenues of approximately $50 million to $60 million and often target third-party vendors to extort client information. Companies were most susceptible if they suffered from poor email configurations, recent credential leaks, public remote access ports, out-of-date systems and IP addresses with botnet activity. As always, we believe strong security infrastructure and cyber defense practices can go a long way in thwarting ransomware attacks.

Protecting against Royal attacks

This month, we take a close look at Royal ransomware, which has compromised U.S. and international organizations since September 2022. After gaining access to victims’ networks, Royal threat actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying ransomware and encrypting systems. Royal actors have made ransom demands ranging from approximately $1 million to $11 million in Bitcoin.

Royal ransomware code is particularly difficult to detect, but we have found that the following practices can help protect organizations from Royal attacks:

  • Close the gap in logging key capabilities and perimeter systems.
  • Protect service accounts: limit privileges, avoid automatic role grants, monitor usage and avoid sharing across multiple applications.
  • Protect Remote Desktop Protocol (RDP) sessions with Windows Defender Remote Credentials Guard.
  • Apply Group Policy Object to end RDP disconnected sessions.
  • Implement a host checker; reject non-compliant hosts from accessing the corporate network.
  • Review and lower the usage of popular living-off-the-land (LotL) techniques that Royal uses to compromise and exfiltrate data.
  • Follow best practices for securing Domain Admin Groups in Active Directory and avoid using Domain Admin accounts for interactive logins.
  • Apply and strictly follow the Domain Least Privilege administrative model.
  • Harden the VPN authentication process and enable MFA on all accounts, including VPN authentication.
  • Disable all local admin accounts; use Microsoft’s best practices for securing any needed service accounts.
  • Do not use shared accounts in the VPN environment.

For a deeper analysis of Royal ransomware, see Royal ransomware — how it works and what to look for