Symbolic picture only. , Photo Credit: Photo: Twitter/@IndianCERT
Indian cyber security agency has issued a warning against the “Royal Ransomware” virus that attacks vital sectors like communication, healthcare, education and even individuals and bitcoins for not leaking personal data in the public domain. demands payment.
The Indian Computer Emergency Response Team or CERT-In has said in a latest advisory that this Internet-spreading ransomware infiltrates through phishing emails, malicious downloads, misuse of RDP (Remote Desktop Protocol) and other forms of social engineering. Cyber experts told this ransomware PTIIt was first detected in January 2022 and became active around September last year even as the US authorities issued advisories against its spread.
“Royal ransomware is targeting multiple critical infrastructure sectors including manufacturing, communication, health care, education, etc. or individuals. The ransomware encrypts files on the victim’s system and the attackers ask for ransom payment in bitcoins,” the advisory said.
“The attackers also threaten to leak the data in the public domain if payment is refused,” the advisory said. CERT-In is the federal technology arm for combating cyber attacks and protecting cyberspace against phishing and hacking attacks and similar online attacks.
“The threat actors have adopted various tactics to mislead victims into installing remote access software as a part of call back phishing, where they pretend to be various service providers,” the advisory states.
The ransomware infects “using a specific approach to encrypting files based on the size of the content”. “This will split the content into two sections i.e. encrypted and unencrypted. Malware can choose a small amount of data from a large file to encrypt so as to increase the chances of evading detection or detection. It adds 532 bytes at the end of the encrypted file to write the randomly generated encrypted key, file size of the encrypted file and encryption percentage parameters,” CERT-In said.
The virulence of this virus can be gauged from the fact that before starting the encryption of the data it attacks, the ransomware checks the status of the targeted files and tries to “prevent recovery” through the service. Removes shadow copies for .
“After infiltrating the network, the malware tries to create persistence and lateral movement in the network. Ransomware disables anti-virus protocols even after gaining access to domain controllers. In addition, before ransomware encryption, a large amount of excludes data.’
It has been observed, it is said, that ‘Royal Ransomware’ does not share information like ransom amount on the note, any instructions etc. like other ransomware, rather it directly sends .onion URL route (darkweb) to the victim. connects through. browser).
The agency has suggested some countermeasures and internet hygiene protocols to protect against this ransomware attack and other similar attacks. “Maintain offline backups of data, and maintain regular backup and restoration as this practice will ensure the organization will not be severely disrupted and contain immutable data.”
“It is also recommended that all backup data be encrypted, irreversible (i.e., cannot be changed or deleted) covering the entire organization’s data infrastructure,” it said.
Users should enable protected files in the Windows operating system to prevent unauthorized changes to important files and should disable remote desktop connections, employ low-privilege accounts, and limit users who can use account lockout. Setting the policy allows you to log in using the Remote Desktop part.
Several other best practices have been suggested by the agency, including basic ones such as having an updated anti-virus in the computer system and not clicking on unsolicited emails from unknown links.