Royal Ransomware Attack Demo

0:01 Welcome to the Juniper Threat Labs Attack Demo series.

0:04 Today's subject is Royal Ransomware.

0:09 Following a brief description of royal ransomware, this video will demonstrate how malicious

0:13 threat actors conduct a Royal Ransomware attack.

0:18 In September 2022, Royal Ransomware began to emerge as one of the top ransomware variants,

0:24 infecting organizations both in and outside of the United States.

0:28 With Royal Ransomware, malicious threat actors are targeting critical infrastructure including

0:33 companies in the healthcare, manufacturing, communication, as well as other industries.

0:38 Royal’s malicious threat actors have made ransom demands in Bitcoin ranging in value

0:44 from approximately 1,000,000 to 11 million U.S. dollars.

0:48 Royal’s malicious threat actors typically do not include the ransom amount and payment

0:53 instructions as part of the initial ransom note.

0:56 Instead, once the victim machine is encrypted following the ransomware infection, victims

1:01 are instructed to interact with the malicious threat actor via dot onion URL accessible

1:06 via the Tor browser.

1:09 Obvious signs of a Royal Ransomware infection can be seen by observing a file name extension,

1:14 royal or royal_W appended to the encrypted file names.

1:21 In addition, the US cybersecurity and infrastructure Security Agency (CISA) and the Federal Bureau

1:27 of Investigation, the FBI, recently published a joint advisory warning the public about

1:33 the threat posed by these malicious royal ransomware attacks and the continued targeting

1:38 of critical infrastructure companies by royal malicious threat actors.

1:43 If you're wondering how royal ransomware gains access to victim systems, the most common

1:48 method is via phishing.

1:50 In this case, the attackers send a malicious PDF document through e-mail to potential victims.

1:56 Victims make the mistake of downloading and opening the malicious PDF file.

2:01 When the victim's PC is vulnerable, the attack is successful and the victim's PC is compromised.

2:07 In addition to phishing, another popular method of delivering Royal Ransomware to victims

2:11 is through Remote Desktop Protocol RDP.

2:15 Now with the background on Royal Ransomware out of the way.

2:18 Next up, in this video, Juniper Threat Labs demonstrates how Royal Ransomware infects

2:23 a victim's system afterward.

2:25 We'll show you how you can detect, block and isolate any infected system using a Juniper

2:31 SRX firewall with ATP Cloud.

2:35 Let's get started for this Juniper Threat Labs Attack Demo Series video.

2:40 We are demonstrating a Royal ransomware infection using Remote Desktop Protocol or RDP as the

2:47 infection vehicle, leading to compromise using RDP access.

2:51 Royal malicious threat actors simply log into the victim's system.

2:54 And gain access to the victim's desktop.

2:57 Once the victim's desktop is accessible to them, Royal malicious threat actors launch

3:01 a PowerShell attack that downloads and executes a PowerShell script Install dot PS1 It's install

3:08 dot PS1 script and downloads and executes the Royal ransomware executable royal.exe.

3:16 Here we're using a system running Cali Linux from which we will attack the victim first.

3:23 Posing as the attacker, we run Remote Desktop, which provides access to the victim system.

3:30 As you can see, the victim has several important documents.

3:33 One might expect that these files will be encrypted once we launch and successfully

3:37 execute the attack, so take note of those file names.

3:42 To show the network and system activity as the infection happens, we've started Process

3:46 Monitor and Wireshark.

3:48 Next, we launch a command prompt.

3:51 And execute our PowerShell script which really begins the attack.

3:56 The PowerShell script downloads and executes install dot PS1, which itself will then download

4:04 and execute royal.exe.

4:08 Using the process Monitor we can see that royal.exe is enumerating files and encrypting

4:12 them.

4:13 After a few seconds, the files on the victim's system are encrypted as a result of the malicious

4:19 ransomware.

4:20 A malicious Royal Ransomware appended a Royal W file extension to every infected file that

4:26 it encrypted.

4:28 As is typical in a ransomware infection, Royal Ransomware drops a README text file which

4:33 serves as a ransom note in every infected folder.

4:37 Here you see the readme text ransomware note being opened from the desktop folder where

4:41 it was dropped.

4:44 The ransom note contains text telling the victim that it is infected with Royal Ransomware.

4:49 In addition, the note explains to the compromise victim that in order to have your files decrypted,

4:55 you must contact them via a onion URL, at which point the victim will be directed to

5:00 pay the ransom fee in Bitcoin.

5:04 Now we will simulate the Royal ransomware attack again, but this time the victim is

5:08 protected with the Juniper firewall as we want to demonstrate how you can detect, block

5:12 and isolate an infected system using a Juniper SRX firewall with ATP Cloud.

5:18 For the demo, Juniper Threat Labs is using the following setup.

5:23 We have a vSRX in the center.

5:25 The vSRX is a virtual SRX firewall providing network security protection.

5:31 Its purpose is to inspect network traffic and with the assistance of a Juniper ATP Cloud

5:37 to detect ransomware attacks, including this royal ransomware attack.

5:42 In addition to the firewall, we are using Junos Space Security Director, which is a

5:47 centralized management system.

5:49 Director facilitates our configuring and monitoring of the vSRX firewall.

5:54 Juniper's Junos Space Policy Enforcer enforces security policies on endpoints and ensures

5:59 they comply with corporate security standards.

6:02 Richard as well are several Windows workstations, each of which is connected to the vSRX.

6:08 There is an Ubuntu server which is acting as the malware download server.

6:13 You'll be using one of the Windows hosts as a jump station to connect to the victim's

6:16 host using RDP and from there launching the attack.

6:21 Before we proceed with the ransomware simulation, let's first take a look at the threat prevention

6:26 policy that we've set up on our Security Director and applied to the vSRX.

6:33 To access the policy, we'll navigate to the Configure tab on the left.

6:38 Then we select Threat Prevention and Policies.

6:47 As you can see, we already have an existing policy in place.

6:51 Let's further inspect the protections being enforced by the applied policy.

6:55 For this demo, our policy is configured to block command and control traffic at threat

7:00 level 8 and above.

7:02 We've also set it to block infected hosts at threat level 8 and above.

7:06 Finally, we've configured our policy to use ATP Cloud for malware detection, and here

7:11 we've chosen to block any and all threats rated at level 8 and above.

7:17 This threat prevention policy applied to the Juniper vSRX firewall is a critical component

7:22 of our defenses, protecting our systems against ransomware attacks, including Royal ransomware.

7:27 It allows us to detect and block malicious traffic as well as the activity of potentially

7:32 infected hosts.

7:33 Which will then prevent the spread of malware throughout our network in the event that one

7:37 of our systems gets compromised, acting like would be malicious threat actors.

7:42 For the demo, we now connect to the victim system via RDP.

7:46 We started Wireshark to monitor network activity.

7:51 To confirm that we have Internet connectivity, we first visit Wikipedia and YouTube.

7:59 Later we will show you that once the vSRX has identified an infected host, the host

8:04 will then be isolated from the network.

8:07 Once that occurs, the infected host will lose its Internet connection.

8:13 As before.

8:14 To launch the attack, we open a command shell.

8:16 With that open, we launch the PowerShell attack as you can see from the Wireshark.

8:25 It was able to download, install the PS1 and royal.exe.

8:33 If we go back to Security Director, we can see that it detects royal.exe with a threat

8:39 level of 10.

8:42 We can click on that file to see more details about the malware, including the system or

8:46 host where it is downloaded.

8:52 We can also use the ATP Cloud dashboard to see more details about the malware.

8:57 After clicking on the malicious file name, we can delve deeper.

9:01 We can see static analysis that Juniper Systems performed.

9:03 We can see behavioral analysis as well, which indicates that the file's behavior does indeed

9:08 resemble ransomware.

9:10 Behavioral analysis also includes details about how the malware deletes, shadow backups,

9:14 and several evasion techniques it employs.

9:17 We can also see some processes being launched from the Behavior Details tab.

9:21 ATP Cloud also includes miter attack techniques.

9:25 It is important to note that the ATP Cloud was able to detect this malware without signatures.

9:30 ATP Cloud uses machine learning combined with static and dynamic analysis enabling Juniper

9:35 to successfully detect this malware.

9:38 Next we can go over to Junos Space Security Director and under the ATP Cloud Host tab,

9:44 we can show you that the infected system has been added to the set of infected hosts.

9:49 Host was identified at threat level 9.

9:55 Earlier recall that we configured the vSRX to block hosts at threat level 8 and above.

10:01 Also here indicated is why the vSRX blocked the host to begin with.

10:05 In this case, due to a malicious file download, if we go back to our host, we can see that

10:11 it no longer has Internet connectivity.

10:41 Once we're sure that the ransomware infected host is free from infection, we will want

10:45 to restore the infected system back to the network.

10:48 To do so, we go to Security Director and click on the infected host.

10:52 To the right of the investigation status.

10:54 We select Resolved Fixed.

10:57 Afterwards, the host status is now clean and the host is connected once again to the network

11:04 and able to operate as before.

11:12 As you watch the restored host once again enjoying Internet connectivity, there's one

11:16 final point we want to make.

11:18 You may be wondering how the host got infected with Juniper vSRX and ATP providing protection.

11:24 It's because we were demonstrating a zero-day attack before the ransomware was known.

11:29 Had we enabled Juniper Sandbox analysis, this attack would have been detected and blocked,

11:34 but then you wouldn't have been able to see the ransomware infect the victim's system.

11:37 And we wouldn't have been able to demonstrate how Juniper's Connected Security solutions

11:42 prevent the further spread of infection in the event that occurs.

11:46 That completes our demo of Royal Ransomware.

11:49 Check out more videos from the Juniper Threat Labs Attack demo series by visiting juniper.net.

11:53 Thanks for watching.