Date: 09/04/2024
Severity: Critical
Summary
The Royal ransomware first appeared in 2022 and quickly emerged as a major threat in the cybersecurity world. Throughout its operation, Royal has targeted both U.S. and international organizations, breaching their networks with malicious objectives. Importantly, this variant developed from an earlier iteration that used a loader named “Zeon.”
Indicators of Compromise (IOC) List
Hash |
f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429 |
Filename | README.txt |
Processname | C:\Windows\System32\vssadmin.exe delete shadows /all /quiet |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Hash |
sha256hash IN ("f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429") |
Detection Query 1 | (resourceName = "Windows Security" AND eventtype in ("4688" ) ) AND newprocessname = "C:\Windows\System32\vssadmin.exe delete shadows /all /quiet" |
Detection Query 2 | (Technologygroup = "EDR" AND eventtype in ("4688" ) ) AND newprocessname = "C:\Windows\System32\vssadmin.exe delete shadows /all /quiet" |
Detection Query 3 | (resourcename in ("Windows Security" ) AND eventtype = "4663" ) AND rawmessages like "README.txt" |
Detection Query 4 | (Technologygroup = "EDR" ) AND rawmessages like "README.txt" |
Reference:
https://gurucul.com/blog/royal-ransomware/#6-phishing-as-an-entry-point