You know what I hate? Ransomware! And this Royal Ransomware really SUCKS SOUR FROG A$$ !!!

It sucks so bad that, the FBI and CISA have put out an advisory about Royal Ransomware in their StopRansomware initiative (Learn more at [ Ссылка ]).

So, let's learn about Royal Ransomware, so that we can learn something from Royal Ransomware and become better cybersecurity professionals!

If you're enjoying my content and wish to support the show, you can drop some coin in my jar here:
[ Ссылка ]
Many thanks!

=======================================
Links:
=======================================
SecurityWeek:
[ Ссылка ]

CISA Advisory:
[ Ссылка ]

Chisel Github:
[ Ссылка ]

QakBot C2:
[ Ссылка ]

Ursnif/Gozi Trojan:
[ Ссылка ]

========================================
Show Notes:
========================================
+ Intro
- FBI Warns of Royal Ransomware on the rise

+ What is Royal Ransomware?
- Initial Access (To Be Discussed)
+ Disables AV
+ Exfils Data
+ Deploys custom file encryption
- Ransom demands of $1-11 Million USD (in bitcoin)
+ Initial ransom note directs victim to `.onion` URL

- Targets
+ Manufacturing
+ Comms
+ Healthcare
+ Education

- STIX IOCs available
+ Anomali site (what is STIX?)

- Deep Dive
+ **Initial Access** (all TTPs mapped to MITRE ATT&CK)
- *Phishing* 66.7%
+ PDFs
+ Malvertising
- *RDP* 13.3%
- *Public-Facing Apps*
+ Exploit vulnerable apps
- *Brokers*
+ Purchase access to target through existing breach data

+ **C2**
- LOTL
+ Re-purpose legit Windows software/apps/tools
- Royal malware installs many tools
+ Open-source projects
- Chisel ([ Ссылка ])
+ Qakbot
- Established C2 infrastructure
+ [ Ссылка ]

+ **Lateral Movement**
- Sysinternals *PsExec*
+ Domain Controller Access
- Disables AV through GPOs

+ **Persistence**
- Installs Remote Monitoring and Management (*RMM*) software
+ AnyDesk
+ LogMeIn
+ Atera

+ **Exfil**
- Cobalt Strike
- Ursnif/Gozi ([ Ссылка ])
- Usual exfil destination
+ US-based IP: *94[.]232[.]41[.]105*

+ **Encryption**
- Target files check
+ Are they in use?
+ Is anything blocking from access?
- Delete Volume Shadow Copies
+ `vssadmin.exe`
- Create `.bat` files
- Malicious file locations

- IoCs
+ Files
+ IPs
+ Domains
+ Tools
+ Batch scripts

- MITRE ATT&CK Techniques

- Mitigations

======================================
Chapters:
======================================
00:00 Intro
00:53 SecurityWeek Article
02:30 CISA Advisory
04:22 Royal Ransomware Overview
07:15 Technical Details
09:30 Initial Access
15:10 Command & Control (C2)
17:51 Persistence
19:25 Data Exfiltration
22:32 Data Encryption Details
25:00 Indicators of Compromise (IoC)
26:58 Mitigations
30:50 Final Thoughts
================================================================================


#cybersecurity #cti #cyberthreats #hacking #security #technology #hacker #infosec #ethicalhacking #cybercrime #tech #linux #informationsecurity #cybersecurityawareness #ransomware #malware #hacker #malware #StopRansomware

свернуть