The FBI and the US govt's Cybersecurity and Infrastructure Security Agency have released fresh guidance on the Royal ransomware operation, saying that evidence suggests it may soon undergo a long-speculated rebrand. The agencies didn't specify a reason for the rebrand or spinoff variant, but rebranding in the ransomware industry is fairly common. The security industry has highlighted a suspected link between Royal and BlackSuit for months and the latest update to the security agencies' advisory confirms code overlaps and similarities in intrusion techniques. CISA and the FBI believe the similarities between the two Windows ransomware families indicate either a potential rebrand of Royal altogether or at least a spinoff variant. "Royal and Blacksuit threat actors have been observed using legitimate software and open source tools during ransomware operations," the advisory read. "Threat actors have been observed using open source network tunneling tools such as Chisel and Cloudflared, as well as Secure Shell Client, OpenSSH, and MobaXterm to establish SSH connections." Trend Micro's May report on the similarities between the two predicted that BlackSuit was either a new variant developed by Royal itself, a copycat strain, or an affiliate of Royal's RaaS program that had made its own changes to the kit. Its security researchers also found striking similarities between the two strains with very little code differentiating the two. "After comparing both samples of the Royal and BlackSuit ransomware, it became apparent to us that they have an extremely high degree of similarity to each other," said Trend Micro. "In fact, they're nearly identical, with 98 percent similarities in functions, 99.5 percent similarities in blocks, and 98.9 percent similarities in jumps based on BinDiff, a comparison tool for binary files." It also cited security researchers that had noted YARA rules created for the ESXI variants of Royal ransomware also matched those of BlackSuit's ESXI version. These discoveries generally align with this week's updated security advisory which said that, according to the FBI's investigations, the overlapping indicators of compromise between the two families were first spotted in June. The advisory comes as Western intelligence agencies remain on high alert for attacks on critical national infrastructure, a threat that's been among the primary focuses for national security experts for the past few years, but throughout the previous 12 months especially. The UK's National Cyber Security Center published its annual review today and alongside the threat of AI to upcoming elections and ransomware more generally, fears of attacks targeting UK CNI have intensified in the past year, with defenders struggling to match the pace of the evolving threat. Royal was previously pinpointed as a group known for targeting CNI. The FBI and CISA previously warned of the group's threat in March, saying it had targeted "Numerous" CNI sectors, including but not limited to manufacturing, communications, healthcare, and education. Royal's other major attacks include one on the city of Dallas, Texas in May. The effects of the attack were reportedly wide-ranging, affecting various functions like the city's police department and a water utility company. The FBI and CISA revealed this week that Royal has attempted to extort a total of $275 million from more than 350 known victims since September 2022. BlackBerry's security unit reckons the ransom range isn't as large as the authorities suggest, with typical extortion attempts estimated to be between $250,000 and $2 million. Microsoft's incident response data pegged Royal as one of the most prolific ransomware groups in operation over the past year. When looking at the top ransomware strains that had achieved breaches, 12 percent were related to Royal. The advisory from CISA and the FBI includes more details on the full range of IOCs and mitigation guidance for both Royal and BlackSuit ransomware families.
This Cyber News was published on www.theregister.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000