Royal Ransomware - the new hacking

The cyber threat is constantly changing and evolving. There are new and more cunning ways for hackers to infiltrate systems, but they are also discovering new ways to gain access. One of those ways is royal ransomware.

Hacking that can be costly

Many in cyberspace are familiar with the term ransomware. To refresh your memory, it's basically a method hackers use to monetize your data. Having hacked into documents, files and systems, they lock the victim out - denying them access to the documents or encrypting the documents so they can't be seen. The hackers then demand money, or a ransom, to restore access to the documents. Many people are willing to pay high sums of money to get their documents back, so this has become a popular method for hackers.

Hackers often use ransomware attacks on large companies since that's where the money and important information is. An example from Denmark was in 2022 when 7-Eleven was hit by a ransomware attack. All 175 stores were shut down because their cash register systems were shut down. A hacker group was behind the attack, demanding $1 million, paid in cryptocurrency. In order for 7-Eleven to reopen its stores, the hacker group believed that the company had to pay the high ransom.

• 7-Eleven chose to remain passive to the hackers. Instead, they reinstalled programs and systems themselves.

In order to do so, you have to make backups of your data - if you've done so, you can restore the lost data and thus avoid paying the large ransom.

A royal ransom

A new type of ransomware appeared in early 2022: A type of ransomware that brought in large sums of money for the hacker groups; namely, royal ransomware. Since it cost companies many millions of dollars, royal ransomware became known as one of the most brutal hacking methods of 2022.

The Dev-0569 hacker group, which is also behind the royal ransomware method, added 43 new companies to their victim list - with each ransomware attack, they demanded between $250.000 and $1 million dollars. Their victims are companies from all over the world, and they also hit a major tech company with a ransom of $60 million to return their data.

• Dev-0569 is a hacker group that targets larger companies and organizations. Therefore, they also demand larger sums of money to return the data. Dev-0569 deviates from the normal ransomware hackers with their use and creation of the royal ransomware attacks. Typically, hacker groups will conduct the attack as a ransomware-as-a-service (RaaS) attack.

RaaS is a business model hackers use to sell and rent ransomware to buyers. RaaS is one of the main reasons why ransomware attacks are on the rise in the cyber world.

However, Dev-0569 does not use the classic RaaS. Instead, they buy direct access to corporate networks. They buy this information from underground players (Inital Access Brokers - IAB), and in this way they can control the attacks from inside the companies' networks.

Hacking from the inside

Because the hacker group gains access to companies' networks and systems, they will exploit the internal access. One way they spread malware is by exploiting the company's contact form, which customers use to contact the company. When writing to the company, the hacker group can impersonate the customer service and install malicious software on the customer's device - without the customer knowing that a hacker is behind the legitimate name.

Another technique hackers use in royal ransomware is to send out alerts to people that their antivirus programs are about to expire. They are encouraged to click on a website or call a number. The latter is also known as callback phishing, where the hacker is on the other end of the phone. Here, the hacker obtains personal data from the victim, who is under the impression that they are talking to the real customer service department of the company.

• By sending the false alerts to people, the hackers can install malware on the victims' devices and access their data. Therefore, they can carry out ransomware attacks, but also monitor their device.

One of the reasons why royal ransomware is so dangerous is that it can spread incredibly fast in systems. In the past, hacker groups used the BlackCat coding module, but they switched to a new coding module called Zeon. Zeon is one of the systems that can overload a victim's computer faster than others. It doubles the code chains to encrypt a victim's files as quickly as possible. Therefore, the process of royal ransomware is faster than usual.

How do I avoid royal ransomware?

A lot of the things you can do to avoid royal ransomware are the same things you do to avoid regular hacking, phishing, and malware.

Awareness training is the ultimate way to protect yourself - it's the human errors that allow hackers to access emails, files and systems. So by undergoing awareness training, your company can avoid hacking attacks.

It's also always a good idea to have strong passwords and multi-factor authentication for your systems and emails. This ensures that it is much more difficult for the hacker to force access than if you did not have MFA.

You can also make sure that you get your programs and software from legitimate sources. This may go without saying, but sometimes hackers are so good at impersonating providers that you can't distinguish between the real and the imposter. Downloading content from a hacked website gives malicious actors direct access to your files and software.

Finally, it is also recommended to use antivirus programs that scan your device for malicious software and irregularities in your systems. In addition, you can also see if you have been hit by a royal ransomware attack. Here, the files and encrypted folders will typically end in

• ".royal"
• ".royal_w"
• "README.TXT"

You should always be cautious of these, and in case of an attack, you should contact your IT manager so they can help you fix your device.