Executive Summary
- On May 1, local media reported that a city government had suffered a disruption resulting from an attack claimed by the Royal ransomware group.
- City spokespeople confirmed these reports on May 3, noting that emergency services remained available despite disruptions to computerized dispatching systems.
- Intelligence collected by the SecurityScorecard Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team may reflect Royal TTPs, offering additional insights into the attack.
Background
On May 1, local media reported that a city government had suffered a disruption resulting from an attack claimed by the Royal ransomware group. City spokespeople confirmed these reports on May 3, noting that emergency services remained able to respond to incidents despite disruptions to computerized dispatching systems. Some disruptions appear to have persisted until June 5.
The Royal group first surfaced using the name Zeon in January 2022, but rebranded to Royal in September 2022. It is reportedly composed of former members of the Conti group; Microsoft tracks the group as DEV-0569 and early reports highlighted the group’s social engineering capabilities.
Royal’s behavior reflects some of the major recent trends in ransomware, but not others. Although it did not use one in its early days, Royal has, like many other groups, launched a data leak site. In the ransom note to the recently-attacked city government, the group claimed to have stolen data and threatened to publish it. However, although many groups have come to employ a ransomware-as-a-service (RaaS) model in recent years, Royal is a closed group rather than an RaaS operation.
Initial access techniques include malvertising, callback phishing (the use of a false payment or subscription confirmation message to lead a target to call a telephone number controlled by the attackers, who direct victims to download malicious files once they call), and forum or blog comments containing malicious links. These lead to downloads of malware, including BATLOADER and Qakbot, which in turn deliver secondary payloads that eventually lead to ransomware deployment.
Methodology
Researchers leveraged SecurityScorecard’s exclusive access to network flow (NetFlow) data to collect a sample of traffic involving IP addresses attributed to the affected government. They first consulted SecurityScorecard’s ratings platform to identify the IP addresses where SecurityScorecard has observed issues, these addresses being the most likely to attract attackers’ attention due to the observed issues. They then collected a two-month (March 3-May 3) sample of traffic involving these IP addresses and analyzed the results further.
STRIKE Team researchers first searched the resulting traffic sample for activity that may reflect behavior resembling the Royal group’s tactics, techniques, and procedures (TTPs). They searched for communication with the IP addresses appearing in a CISA alert about the group and the IP addresses to which the domains contained in that same alert most recently resolved.
They next searched for indications of communication between city government assets and the strains of malware used in earlier stages of Royal attacks. The strategic partner providing NetFlow data also employs an analysis and reporting system that identifies certain IP addresses belonging to various malware families’ distribution or command and control (C2) infrastructure, including one the Royal group has used – QakBot. Researchers therefore limited the results to those involving IP addresses this partner has linked to QakBot.
This partner also identifies certain IP addresses previously observed distributing spam; knowing that phishing is a common reconnaissance or initial access technique for ransomware groups (and that it and spam campaigns could share infrastructure), researchers next limited the results to those involving spam-linked IP addresses.
Next, because the Royal group claimed to have stolen city data, researchers sought to identify possible exfiltration by identifying the largest data transfers in the traffic sample (those with byte counts of 100 MB or more), as large data transfers are the most likely to reflect exfiltration. Researchers further narrowed these results, first by filtering them by country code to identify IP addresses located outside of the U.S. and then by searching them in VirusTotal. IP addresses either located outside of the U.S. or previously linked to malicious activity are more likely to have been involved in exfiltration.
Additionally, researchers added the IP addresses appearing in this traffic sample to SecurityScorecard’s internal threat intelligence platform, which contains the IP addresses appearing in the traffic samples collected during many previous investigations into ransomware attacks and other disruptive incidents. IP addresses’ appearance in multiple target organizations’ traffic samples may suggest their involvement in similarly malicious activity.
Finally, to identify files that may reflect malicious activity targeting the city, the STRIKE Team searched VirusTotal for recent submissions containing its main domain.
Findings
None of the IP addresses CISA linked to Royal appeared in the traffic sample, nor did any of the IP addresses hosting the domains CISA linked to the group. This is not entirely unexpected; the most recent of these IoCs first appeared in January 2023. Under any circumstances, it would be fairly likely that a professional threat actor group would have begun using other IP addresses and domains in the intervening five months. Such a group would be especially likely to stop using IP addresses that the cybersecurity community has named as an IoC related to the group in a public report. Even in the absence of such clear connections to the group, the available NetFlow data and files contained in VirusTotal may nonetheless reflect Royal TTPs.
An HTML file containing malicious JavaScript and an image from a city government domain appeared in VirusTotal on March 10. The use of an image belonging to the city government suggests an attempt to impersonate it, and some of the file’s vendor detections link it to behavior resembling callback phishing. Twelve of its twenty-eight detections for malicious activity link it to Cryxos, a family of malicious JavaScript files that display fraudulent alerts to users when they visit the web pages (or open the attachments) containing those files. These alerts often warn the user that their computer has been infected by a virus or is otherwise affected by an issue requiring technical support and direct them to call a threat actor-controlled telephone number to receive such support. Attackers typically use their telephone conversations with victims to instruct them to send a payment for non-existent virus removal services and/or install remote access software, which attackers can use to steal payment information or install additional malware, which can either steal information or deliver subsequent malicious payloads including ransomware.
With a slight change to their lure, though, Cryxos-linked files could similarly enable the callback phishing discussed above (previous callback phishing incidents linked to Royal used lures discussing targets’ payments to subscription services rather than directions for contacting technical support). Although it does not appear to use such a lure, this file may nonetheless reflect an initial access attempt that preceded the deployment of ransomware within the city government’s network, as its use of a city government image may suggest an attempt to impersonate the city government.
The traffic data may offer further evidence that the attack involved callback phishing or that attackers otherwise abused a legitimate remote access tool similar to those employed in callback phishing during the incident. While reviewing the IP addresses that appeared in both the city government’s traffic sample and those the STRIKE Team collected during previous investigations, researchers observed communication between city government assets and IP addresses that belong to remote access software company LogMeIn, Inc. (formerly GoToMeeting). While the software has many legitimate uses, attackers have also used legitimate remote access software (TeamViewer is especially common) to acquire control of target devices in previous incidents that culminated in ransomware deployment. City government IP addresses and thirty-eight LogMeIn IP addresses communicated 376 times between March 1 and May 4. All of these IP addresses are available in an appendix below.
Traffic data may additionally reflect other phishing attempts and a QakBot infection. An IP address hosting a city mailserver and IP addresses linked to spam communicated seven times on March 30 and 31 and city-attributed IP addresses and QakBot-linked addresses communicated 134 times between March 5 and April 26.
The large data transfers contained in the traffic sample may suggest exfiltration. There were 7,124 flows of 100 MB or more, involving 665 unique IP addresses. Much of this data may reflect expected behavior. The vendors that contribute to VirusTotal have only linked eight of the IP addresses involved to malicious activity, and a relatively small portion, forty-one, are located outside of the U.S. A majority belong to Rackspace, so traffic to them may reflect the city’s use of Rackspace services. Conversely, the large transfers to non-Rackspace IP addresses may be more likely to represent unexpected (potentially malicious) behavior, given their deviation from the apparent norm (large transfers to Rackspace IP addresses). Researchers identified three IP addresses with registrant organizations other than Rackspace or a Rackspace acquisition. The IP addresses falling into each of the categories that may suggest they merit further attention (those with vendor detections, non-U.S. locations, or registrant organization other than Rackspace) are available in appendices below.
Conclusion
As this incident can attest, ransomware remains a threat to local governments. Local governments’ information technology departments often suffer from insufficient budget and staffing, which limits their ability to manage city systems or monitor city networks. Local media coverage of this particular incident has alluded to such issues, as well, noting some city offices’ use of outdated technology and data handling issues that affected other city departments in the recent past.
Similarly, prior to the recent attack, SecurityScorecard’s ratings platform graded the city government a D on a scale from A-F, indicating that the city suffered from various issues that could have made the attack more likely. According to SecurityScorecard’s research, organizations with an A are 7.7 times less likely to suffer a breach than those with an F, but those with a D are only 2.6 less likely to suffer one. As a result of this attack, the city’s score has, moreover, dropped to an F. Despite these issues, though, city officials praised personnel for detecting and containing the incident quickly. This may indicate that the city enjoys well developed incident response policies and procedures that could help offset the observed issues and contribute to its overall resilience, even in the face of a breach.
Appendices
QakBot-Linked IP Addresses
- 195.176.3[.]19
- 195.176.3[.]24
- 195.176.3[.]23
- 195.176.3[.]20
- 178.62.220[.]93
Spam-Linked IP Addresses
- 1.215.233[.]74
- 103.109.177[.]221
- 103.103.93[.]2
- 157.119.169[.]86
LogMeIn IP Addresses
- 68.64.22[.]20
- 173.199.15[.]254
- 68.64.22[.]216
- 67.217.82[.]103
- 173.199.44[.]21
- 68.64.29[.]70
- 67.217.88[.]109
- 67.217.91[.]86
- 67.217.78[.]146
- 67.217.80[.]151
- 216.115.215[.]20
- 67.217.80[.]67
- 216.219.115[.]106
- 67.217.80[.]115
- 216.219.115[.]94
- 216.219.115[.]96
- 216.219.115[.]100
- 216.219.115[.]104
- 67.217.80[.]163
- 216.219.115[.]98
- 67.217.80[.]127
- 67.217.80[.]175
- 216.219.115[.]102
- 67.217.80[.]103
- 67.217.80[.]139
- 216.219.115[.]74
- 216.219.115[.]6
- 67.217.91[.]90
- 67.217.78[.]166
- 216.219.115[.]60
- 216.219.115[.]66
- 216.219.115[.]7
- 67.217.91[.]78
- 67.217.78[.]48
- 216.219.115[.]54
- 216.219.115[.]52
- 216.219.115[.]45
- 216.219.115[.]42