Cities under attack, Royal ransomware, defensive considerations, and free decryption tools

The ransomware attacks continue to impact governments and cities, taking down IT systems and disrupting online services. Recently, the Royal actors perpetrated attacks in Dallas, the city of Augusta, and Georgia in the USA.

The Dallas city said it might take weeks to recover from the incident and faced backlash from police officers, firefighters, and emergency service workers.

https://therecord.media/dallas-courts-resume-services-after-ransomware-attack

This ransomware also has frequently threatened critical infrastructure sectors, such as manufacturing and healthcare. So, the impact of it extends beyond just financial losses. Since 2022, it impacted at least 157 organizations, as reported by Unit 42 from Palo Alto.

The CISA (Cybersecurity and Infrastructure Security Agency) released and Cybersecurity Advisory under the alert code AA23-061A:

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a

In Brazil, the CITR (Center for Prevention, Treatment and Response to Government Cybernetic Incidents) issued an alert about this threat earlier this year.

https://www.gov.br/ctir/pt-br/assuntos/alertas-e-recomendacoes/alertas/2023/alerta-02-2023

Royal ransomware is associated with Windows systems but expanded its arsenal by developing a variant to impact Linux and ESXi environments.

As well as other attacks, Royal actors gain initial access to victim networks in several ways, including:

• Phishing emails: victims have unknowingly installed malware that delivers Royal ransomware after receiving phishing emails containing malicious PDF documents and malvertising.
• RDP (Remote Desktop Protocol) access.
• Exploit using public-facing applications.

Once Royal actors gain access to the network, they communicate with command-and-control infrastructure and download multiple tools.

Royal operators repurpose legitimate Windows software. It is a “Living off the land” method. It consists of using existing tools & features installed or existing in the target environment, drastically reducing the footprint and evading detection.

Lateral movement is also exploited in this attack. The actors often use Remote Desktop Protocol (RDP) to move laterally across the network. The PsExec,a Microsoft Sysinternals tool, has also been used to aid lateral movement.

Protection measures and best practices

1) Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with National Institute for Standards and Technology (NIST) standards

2) Deployment of multifactor authentication (MFA).

3) Keep all operating systems, software, and firmware up to date.

4) Restriction of lateral movement. Networks must be designed not only to attempt to keep attackers out, but also to make their lives as difficult as possible once they do gain an internal foothold. This reference document describes the RDP, PsExec and other communications techniques, and defensive considerations are presented for each one:

https://www.appliedincidentresponse.com/files/Lateral-Movement-Analyst-Reference.pdf

The networks must be segmented/micro-segmented with solid barriers between different logical groupings of resources.

5) Deploy a networking monitoring tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools also help to detect lateral connections.

6) Disable all unused logical ports on the network.

7) Install, regularly update, and enable accurate time detection for antivirus and EDR on all hosts.

8) Review domain controllers, servers, workstations, and active directories for new or unrecognized accounts.

9) Audit user accounts with administrative privileges.

10) Disable command-line and scripting activities and permission.

The last frontier of business protection

11)  Maintain offline backups and regularly maintain automatic backup and restoration tests/validation.

12) Ensure all backup data is encrypted, immutable and it covers the entire organization’s data infrastructure.

13) Deploy, maintain, test, and continuously update a Disaster Recovery and Business Continuity plan.

Decryption tools for free

The “No More Ransom” website is an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, Kaspersky, and McAfee to help ransomware victims retrieve their encrypted data without paying the criminals.

The decryption tools on the “No More Ransom” website have helped more than six million people recover their files for free.

There are 121 free tools able to decrypt 151 ransomware families. The initiative unites 170 partners from the public and private sectors. The portal is available in 37 languages, including Portuguese and Spanish.

https://www.nomoreransom.org/en/decryption-tools.html

Remember: these tools do not replace the need for a secure and consistent backup strategy or the protection measures described above.

Decryption can sometimes take several days, directly impacting business continuity. The best way to mitigate these impacts is through a consistent business continuity, backup, and disaster recovery plan.

I hope this information was helpful!

References:

https://unit42.paloaltonetworks.com/royal-ransomware/#post-128104-_wesirteo28so

https://www.mindpointgroup.com/blog/lateral-movement-with-psexec