>
A brand new ransomware operator has been discovered operating in the wild, and although it is a newcomer, it is already demanding large ransom payments.
A new report from BleepingComputer together with cybersecurity intelligence firm AdvIntel, it analyzed the group’s operations, the encryptor and its methodology.
Apparently the group is made up of experienced ransomware actors who come from other operations. They joined forces in January this year and operate not as RaaS, but as a closed group of affiliates. In the beginning, the group used ciphers from other criminals, namely BlackCat, but soon the group switched to proprietary solutions. The first such encryptor is called Zeon.
Starts with a phish
Earlier this month, the group changed from Zeon to Royal, using that name in both the ransom note and as a file extension for encrypted documents.
The MO is nothing special: the attackers would first send a phishing email and urge the victims to call them back. During the call, the attackers would convince the victims to install remote access software and grant the attackers access to the endpoint (opens in new tab). After that, the attackers would spread across the network, mapping and exfiltrating sensitive data, and encrypting all devices on the network.
The victims would then find a ransom note, README.TXT, in which they would be given a Tor link that would allow them to enter into negotiations with the attackers. It is reported that Royal is asking anywhere from $250,000 to $2 million for the decryption key. During the negotiations, the attackers would decrypt a few files to show that their program works, and show the list of files they would release on the Internet if the requirements are not met.
So far, there are no reports of victims actually paying for the decryption key, so it is impossible to know how successful the group is. The leak site of Royal has not yet been found.
Through: BleepingComputer (opens in new tab)