New Delhi: The Indian cybersecurity agency has issued a warning against the “Royal ransomware” virus that attacks critical sectors such as communications, health careeducation, and even individuals and seeks reward in Bitcoin for not leaking personal data in the public domain.
He Indian Computer Emergency Response Team either cert entry has stated in the latest notice that this Internet-spreading ransomware sneaks in via phishing emails, malicious downloads, abuse PDR (Remote Desktop Protocol) and other forms of social engineering.
This ransomware, cyber experts said, was first detected in January 2022 and activated around September last year, even as US authorities issued warnings against its spread.
“Royal ransomware targets multiple crucial infrastructure sectors, including manufacturing, communications, health care, education, etc or individuals. The ransomware encrypts the files on the victim’s system and the attackers demand the ransom payment in bitcoins,” the notice said.
“The attackers also threaten to leak the data into the public domain if payment is denied,” the notice said.
He cert entry is the federal technology arm for combating cyberattacks and protecting cyberspace against phishing and hacking attacks and similar online attacks.
The advisory stated that “threat actors have followed many tactics to trick victims into installing remote access software as part of callback phishing, where they pretend to be various service providers.”
The ransomware infects “using a specific approach to encrypt files based on the size of the content.”
“It will split the content into two segments, i.e. encrypted and unencrypted. Malware can choose a small amount of data from a large file to encrypt in order to increase the chances of avoiding caution or detection. It adds 532 bytes at the end file to write randomly generated encrypted key, file size of the encrypted file, and encryption percentages parameter,” CERT-In said.
The lethality of this virus can be gauged by the fact that before starting to encrypt the data it attacks, the ransomware checks the status of the targeted files and deletes shadow copies to “avoid recovery” via the service.
After intruding on the network, the malware tries to persist and move lateral on the network. Even after gaining access to the domain controller, the ransomware disables antivirus protocols. Additionally, the ransomware extracts a large amount of data before encryption, according to the notice.
It has been observed, he said, that ‘Royal ransomware’ does not share information like ransom amount, instructions, etc. on a note like other ransomware, but instead connects to the victim directly via an .onion URL path (darkweb browser).
The agency has suggested some countermeasures and Internet hygiene protocols to protect against this ransomware attack and others like it.
Maintain an offline backup of data, and maintain regular backup and restore, as this practice will ensure that the organization is not severely disrupted and has unrecoverable data.
It’s also recommended to have all backup data encrypted, immutable (meaning it can’t be changed or deleted) that spans the organization’s entire data infrastructure, he said.
Users should enable protected files in the Windows operating system to prevent unauthorized changes to critical files and should disable remote desktop connections, use least privileged accounts, and limit the users who can log on using the remote desktop portion to that do not establish an account lockout policy.
The agency has suggested a number of other best practices, including basic ones like having up-to-date antivirus on computer systems and not clicking spam emails from unknown links.
