Royal ransomware has been involved in high-profile attacks against critical infrastructure, especially healthcare, since it rose to prominence at the end of 2022. It is a straightforward yet highly efficient code that lacks any robust safeguards against reverse engineering, packaging or encryption. As a result, it can evade detection by most contemporary scanners that depend on signature definitions associated with unusual characteristics in the architecture of executable files.

Malicious file brief description:

Property Value

File name

Royal_encryptor.exe

MD5

53F43DCE150C6400C432F375397FEA3C

SHA1

969BB38DBC76A9C5E24F2B9540060579B133AD83

SHA256

7CF8CF961D0815E52CA26A4F532DB6033448C3D1EF1C8E5FEC214D80ABDC0547

Compiled

Sat Nov 12 12:11:21 2022

Size

2235392 bytes

CPU

32-bit

Type

Executable (EXE)

Successful execution of ransomware on the affected system is possible only after submitting a certain set of parameters.

Royal ransomware command line parameters:

Parameter

Mandatory

Description

-id

YES

Special 32-character long ID, which is used to identify the target.

This ID is added as a part of onion address site contained in the ransomware message file [README.txt] to complete the actual onion link for further communication with the treat actor (TA).

-path

NO

Specifies an exact file path/share to encrypt

-ep

NO

Encryption percentage. If not set, the value is set to 50

-localonly

NO

Encrypt local machine

-networkonly

NO

Encrypts only available network resource found in the following IP address ranges (192.x.x.x, 10.x.x.x, 100.x.x.x, 172.x.x.x.x)

An example of the command line of the malware identified in the incident logs:

Royal_encryptor.exe -ep 5 -path \\TARGET_IP\D$ -id STRING

The first step in the operation of the ransomware is to perform a shadow copy deletion by running the following "vssadmin.exe delete shadows /all /quiet” command in a separate process (Figure 1).

Figure 1. Shadow copy deletion

During the execution of the ransomware, a scan is conducted of the designated target shares or file paths. All files found are encrypted, except for specific file extensions and folders that are vital to the proper functioning of the Royal ransomware and are therefore not encrypted until the ransomware message is displayed. These exclusions are included in the malware as string signatures, which, if identified in the filename or path, prevent encryption of the item (Figure 2).

Figure 2. File scan showing encryption exclusions

Royal ransomware set of file system elements that are excluded from encryption:

Name

Type

.exe

file extension

.dll

file extension

.bat

file extension

.lnk

file extension

.royal_w

file extension

.royal_u

file extension

README.TXT

file name

windows

file item string

$recycle.bin

file item string

google

file item string

perflogs

file item string

mozilla

file item string

tor browser

file item string

boot

file item string

$windows.~ws

file item string

$windows.~bt

file item string

windows.old

file item string

When prompted via a command-line parameter that is associated with a network-bound task or file location, the ransomware can scan the network and enumerate remote partitions. In automatic mode, precisely defined network subnets are scanned. The first IP octet of the following subnets are considered for scanning: 192; 10; 100; 172. A sample of this part of the ransomware is shown in Figure 3.

Figure 3. Network subnet scanning

The malware can enumerate different network resource shares (ADMIN$, IPC$...) using SMB - port 445. See screenshots of the malware code associated with the network scanning in Figures 4 and 5.

Figure 4. Malware enumerates networks using SMB port 445

Figure 5. Malware enumerates network admin shares (ADMIN$)

Regarding the process of encrypting files, the Royal ransomware is fully optimized for speed and efficiency, using an OpenSSL library built into the code. It also scales the resources used for file encryption (the number of worker threads of the process) depending on the number of stream processors available on the affected system (Figure 6).

Figure 6. Scaling resources for file encryption

Additionally, Figures 7, 9 and 10 show features of the file encryption process. Files smaller than 5.24 MB are fully encrypted, while for others, the ratio is determined by the command line input parameter; if not specified, the default 50% is used. Processes that have been locked for editing by other processes are unlocked for encryption and the user receives a ransom note, as shown in Figure 8. The snapshot of the part of the code responsible for the file encryption and adding the ransomware file extension is shown in Figure 9.

Figure 7. Ransomware message code snippet

Figure 8. Ransomware message extracted

Figure 9. Encrypting a file and appending the “.royal_w” extension — analysis snapshot

Figure 10. Files smaller than 5245001 Bytes or 5.24 MB are encrypted 100%

Analysis

Upon analyzing the encryption process of the Royal ransomware, we confirmed that the ransomware uses strong algorithms such as asymmetric cryptography combined with AES-256 encryption standards. There are no indications of any cryptographic vulnerabilities that can be exploited through brute force attacks or similar techniques, even with significant resources, to decrypt the encrypted file content.