AdvisoriesCISAAA23-061AMarch 2, 2023
March 2, 2023
This joint cybersecurity advisory by the FBI and CISA aims to share information about the Royal ransomware, including indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) identified through FBI threat response activities as of January 2023. Since September 2022, cyber criminals have been using a variant of the Royal ransomware to target critical infrastructure sectors, including Manufacturing, Communications, Healthcare and Public Healthcare (HPH), and Education in the U.S. and internationally. This variant evolved from an earlier version known as "Zeon." After gaining access to victims' networks, the Royal actors disable antivirus software, exfiltrate data, and then deploy the ransomware to encrypt systems.
March 2, 2023
Ransomware can take on many forms, each containing unique characteristics to remain undetected for as long as possible. However, many of these malware samples also contain common behaviors that can be used against them. Royal, like many others, consistently tries to delete the backup files on the devices it compromises. Why? Ransomware can be reversed by re-imaging a device from its backups, restoring it to a pre-attack state. This reversibility forces most ransomware authors to disable, disrupt or delete the backups - giving endpoint defenses a behavior they can signature. Enable backups and ensure endpoint defenses continuously monitor processes touching them. It is also worth noting that ransomware is impossible to pull off (in the traditional sense) on “secure by design” operating systems. Wherever possible, switch from workstations and servers to iPads, Chromebooks and containers.
Be immediately notified of new advisories and associated security tests
AdvisoryCISAAA24-207AJuly 25, 2024
