Royal ransomware has been involved in high-profile attacks against critical infrastructure, especially healthcare, since it rose to prominence at the end of 2022. It is a straightforward yet highly efficient code that lacks any robust safeguards against reverse engineering, packaging or encryption. As a result, it can evade detection by most contemporary scanners that depend on signature definitions associated with unusual characteristics in the architecture of executable files.
Malicious file brief description:
Property | Value |
File name | Royal_encryptor.exe |
MD5 | 53F43DCE150C6400C432F375397FEA3C |
SHA1 | 969BB38DBC76A9C5E24F2B9540060579B133AD83 |
SHA256 | 7CF8CF961D0815E52CA26A4F532DB6033448C3D1EF1C8E5FEC214D80ABDC0547 |
Compiled | Sat Nov 12 12:11:21 2022 |
Size | 2235392 bytes |
CPU | 32-bit |
Type | Executable (EXE) |
Successful execution of ransomware on the affected system is possible only after submitting a certain set of parameters.
Royal ransomware command line parameters:
Parameter | Mandatory | Description |
-id | YES | Special 32-character long ID, which is used to identify the target. This ID is added as a part of onion address site contained in the ransomware message file [README.txt] to complete the actual onion link for further communication with the treat actor (TA). |
-path | NO | Specifies an exact file path/share to encrypt |
-ep | NO | Encryption percentage. If not set, the value is set to 50 |
-localonly | NO | Encrypt local machine |
-networkonly | NO | Encrypts only available network resource found in the following IP address ranges (192.x.x.x, 10.x.x.x, 100.x.x.x, 172.x.x.x.x) |
An example of the command line of the malware identified in the incident logs:
Royal_encryptor.exe -ep 5 -path \\TARGET_IP\D$ -id STRING |
The first step in the operation of the ransomware is to perform a shadow copy deletion by running the following "vssadmin.exe delete shadows /all /quiet” command in a separate process (Figure 1).
During the execution of the ransomware, a scan is conducted of the designated target shares or file paths. All files found are encrypted, except for specific file extensions and folders that are vital to the proper functioning of the Royal ransomware and are therefore not encrypted until the ransomware message is displayed. These exclusions are included in the malware as string signatures, which, if identified in the filename or path, prevent encryption of the item (Figure 2).
Royal ransomware set of file system elements that are excluded from encryption:
Name | Type |
.exe | file extension |
.dll | file extension |
.bat | file extension |
.lnk | file extension |
.royal_w | file extension |
.royal_u | file extension |
README.TXT | file name |
windows | file item string |
$recycle.bin | file item string |
file item string | |
perflogs | file item string |
mozilla | file item string |
tor browser | file item string |
boot | file item string |
$windows.~ws | file item string |
$windows.~bt | file item string |
windows.old | file item string |
When prompted via a command-line parameter that is associated with a network-bound task or file location, the ransomware can scan the network and enumerate remote partitions. In automatic mode, precisely defined network subnets are scanned. The first IP octet of the following subnets are considered for scanning: 192; 10; 100; 172. A sample of this part of the ransomware is shown in Figure 3.
The malware can enumerate different network resource shares (ADMIN$, IPC$...) using SMB - port 445. See screenshots of the malware code associated with the network scanning in Figures 4 and 5.
Regarding the process of encrypting files, the Royal ransomware is fully optimized for speed and efficiency, using an OpenSSL library built into the code. It also scales the resources used for file encryption (the number of worker threads of the process) depending on the number of stream processors available on the affected system (Figure 6).
Additionally, Figures 7, 9 and 10 show features of the file encryption process. Files smaller than 5.24 MB are fully encrypted, while for others, the ratio is determined by the command line input parameter; if not specified, the default 50% is used. Processes that have been locked for editing by other processes are unlocked for encryption and the user receives a ransom note, as shown in Figure 8. The snapshot of the part of the code responsible for the file encryption and adding the ransomware file extension is shown in Figure 9.
Analysis
Upon analyzing the encryption process of the Royal ransomware, we confirmed that the ransomware uses strong algorithms such as asymmetric cryptography combined with AES-256 encryption standards. There are no indications of any cryptographic vulnerabilities that can be exploited through brute force attacks or similar techniques, even with significant resources, to decrypt the encrypted file content.