Royal Ransomware: What Your Law Firm Needs to Know and Do

This image accompanies a story about Ransomware Awareness Month, which is the month of July.

The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI last week issued a joint advisory on Royal ransomwareRoyal is noteworthy for its ability to disable various anti-virus tools in the course of exfiltrating data in its double-extortion attacks. Savvy has been a preferred partner with KnowBe4 for years, and we want to share this information with our law firm partners so that you can protect yourselves.

What is Royal Ransomware?

Royal’s operators are marked by their willingness to target “numerous critical infrastructure sectors including, but not limited to, manufacturing, communications, healthcare and public healthcare (HPH), and education.” 

The gang has been known to demand ransom payments of between $1 million and $10 million. The CISA and FBI advisory includes a comprehensive overview of Royal’s tactics, techniques, and procedures; its indicators of compromise; and mitigations that organizations can deploy to help weather an attack with Royal ransomware.

Royal captures the majority of its victims through phishing.

“According to third-party reporting,” CISA and the FBI say, “Royal actors most commonly (in 66.7% of incidents) gain initial access to victim networks via successful phishing emails.” 

The malicious payload is most often carried inside PDF files that arrive as an attachment to those phishing emails. The ransomware has also been observed to arrive in the form of malvertising.

What Happens Once Royal Ransomware Gets Inside Your Firm’s Network?

Once the threat actors have obtained access to the victim’s network, they establish persistence and move laterally across those networks to get to the data they find valuable. 

“Royal actors exfiltrate data from victim networks by repurposing legitimate cyber pentesting tools, such as Cobalt Strike, and malware tools and derivatives, such as Ursnif/Gozi, for data aggregation and exfiltration. According to third-party reporting, Royal actors’ first hop in exfiltration and other operations is usually a U.S. IP address.”

Once they’ve exfiltrated what they want, they begin the process of encrypting the victims’ files, and once the files are encrypted, the gang delivers its ransom demand. 

Should You Pay Royal?

“FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office, or CISA at”

The advisory contains many additional suggestions for policies, practices, and technical defenses that can help armor any organization against ransomware, and they’re well worth your time to review. It’s also worth pointing out that an administrator or a user whose mind is prepared will also prove an invaluable shield, and new school security awareness training can help prepare those minds.

The complete CISA/FBI alert is here.

Take a 30-Minute Demo of KnowBe4 to Protect Your Firm from Royal Ransomware

Royal gains access to your network through phishing. The best way to protect your firm from phish attacks is through ongoing security awareness training.

Savvy is a licensed KnowBe4 provider to the legal industry. We have helped law firms implement the KnowBe4 training system and deliver huge phishing reductions as a result.

KnowBe4’s easy-to-implement platform integrates baseline testing using mock attacks, engaging interactive web-based training, and continuous assessment through simulated phishing, vishing and smishing attacks to build a more resilient and secure organization. 

Book a demo today!


Leave a Reply

Contact Us: