Royal Ransomware Attack Demo

Juniper Threat Labs Security
The title image of the presentation is shown. On a gray background, the video is written in green type and reads, “Royal Ransomware Attack Demo.”

Juniper to the rescue

In this episode of the Juniper Threat Labs Attack Demo Series, you’ll see firsthand how malicious threat actors conduct a Royal ransomware attack. Companies in critical infrastructure, including healthcare, communications, and manufacturing, have been targeted by Royal ransomware since it emerged in September 2022. Today it remains one of the top ransomware variants. This video demonstrates how Juniper can help prevent these attacks––and keep your systems safe.

Show more

You’ll learn

  • How to identify obvious signs of a Royal ransomware infection

  • How exactly Royal ransomware gains access to victims’ systems

  • How to detect, block, and isolate any infected system using a Juniper SRX firewall with ATP Cloud

Who is this for?

Security Professionals Business Leaders


0:01 Welcome to the Juniper Threat Labs Attack Demo series.

0:04 Today's subject is Royal Ransomware.

0:09 Following a brief description of royal ransomware, this video will demonstrate how malicious

0:13 threat actors conduct a Royal Ransomware attack.

0:18 In September 2022, Royal Ransomware began to emerge as one of the top ransomware variants,

0:24 infecting organizations both in and outside of the United States.

0:28 With Royal Ransomware, malicious threat actors are targeting critical infrastructure including

0:33 companies in the healthcare, manufacturing, communication, as well as other industries.

0:38 Royal’s malicious threat actors have made ransom demands in Bitcoin ranging in value

0:44 from approximately 1,000,000 to 11 million U.S. dollars.

0:48 Royal’s malicious threat actors typically do not include the ransom amount and payment

0:53 instructions as part of the initial ransom note.

0:56 Instead, once the victim machine is encrypted following the ransomware infection, victims

1:01 are instructed to interact with the malicious threat actor via dot onion URL accessible

1:06 via the Tor browser.

1:09 Obvious signs of a Royal Ransomware infection can be seen by observing a file name extension,

1:14 royal or royal_W appended to the encrypted file names.

1:21 In addition, the US cybersecurity and infrastructure Security Agency (CISA) and the Federal Bureau

1:27 of Investigation, the FBI, recently published a joint advisory warning the public about

1:33 the threat posed by these malicious royal ransomware attacks and the continued targeting

1:38 of critical infrastructure companies by royal malicious threat actors.

1:43 If you're wondering how royal ransomware gains access to victim systems, the most common

1:48 method is via phishing.

1:50 In this case, the attackers send a malicious PDF document through e-mail to potential victims.

1:56 Victims make the mistake of downloading and opening the malicious PDF file.

2:01 When the victim's PC is vulnerable, the attack is successful and the victim's PC is compromised.

2:07 In addition to phishing, another popular method of delivering Royal Ransomware to victims

2:11 is through Remote Desktop Protocol RDP.

2:15 Now with the background on Royal Ransomware out of the way.

2:18 Next up, in this video, Juniper Threat Labs demonstrates how Royal Ransomware infects

2:23 a victim's system afterward.

2:25 We'll show you how you can detect, block and isolate any infected system using a Juniper

2:31 SRX firewall with ATP Cloud.

2:35 Let's get started for this Juniper Threat Labs Attack Demo Series video.

2:40 We are demonstrating a Royal ransomware infection using Remote Desktop Protocol or RDP as the

2:47 infection vehicle, leading to compromise using RDP access.

2:51 Royal malicious threat actors simply log into the victim's system.

2:54 And gain access to the victim's desktop.

2:57 Once the victim's desktop is accessible to them, Royal malicious threat actors launch

3:01 a PowerShell attack that downloads and executes a PowerShell script Install dot PS1 It's install

3:08 dot PS1 script and downloads and executes the Royal ransomware executable royal.exe.

3:16 Here we're using a system running Cali Linux from which we will attack the victim first.

3:23 Posing as the attacker, we run Remote Desktop, which provides access to the victim system.

3:30 As you can see, the victim has several important documents.

3:33 One might expect that these files will be encrypted once we launch and successfully

3:37 execute the attack, so take note of those file names.

3:42 To show the network and system activity as the infection happens, we've started Process

3:46 Monitor and Wireshark.

3:48 Next, we launch a command prompt.

3:51 And execute our PowerShell script which really begins the attack.

3:56 The PowerShell script downloads and executes install dot PS1, which itself will then download

4:04 and execute royal.exe.

4:08 Using the process Monitor we can see that royal.exe is enumerating files and encrypting

4:12 them.

4:13 After a few seconds, the files on the victim's system are encrypted as a result of the malicious

4:19 ransomware.

4:20 A malicious Royal Ransomware appended a Royal W file extension to every infected file that

4:26 it encrypted.

4:28 As is typical in a ransomware infection, Royal Ransomware drops a README text file which

4:33 serves as a ransom note in every infected folder.

4:37 Here you see the readme text ransomware note being opened from the desktop folder where

4:41 it was dropped.

4:44 The ransom note contains text telling the victim that it is infected with Royal Ransomware.

4:49 In addition, the note explains to the compromise victim that in order to have your files decrypted,

4:55 you must contact them via a onion URL, at which point the victim will be directed to

5:00 pay the ransom fee in Bitcoin.

5:04 Now we will simulate the Royal ransomware attack again, but this time the victim is

5:08 protected with the Juniper firewall as we want to demonstrate how you can detect, block

5:12 and isolate an infected system using a Juniper SRX firewall with ATP Cloud.

5:18 For the demo, Juniper Threat Labs is using the following setup.

5:23 We have a vSRX in the center.

5:25 The vSRX is a virtual SRX firewall providing network security protection.

5:31 Its purpose is to inspect network traffic and with the assistance of a Juniper ATP Cloud

5:37 to detect ransomware attacks, including this royal ransomware attack.

5:42 In addition to the firewall, we are using Junos Space Security Director, which is a

5:47 centralized management system.

5:49 Director facilitates our configuring and monitoring of the vSRX firewall.

5:54 Juniper's Junos Space Policy Enforcer enforces security policies on endpoints and ensures

5:59 they comply with corporate security standards.

6:02 Richard as well are several Windows workstations, each of which is connected to the vSRX.

6:08 There is an Ubuntu server which is acting as the malware download server.

6:13 You'll be using one of the Windows hosts as a jump station to connect to the victim's

6:16 host using RDP and from there launching the attack.

6:21 Before we proceed with the ransomware simulation, let's first take a look at the threat prevention

6:26 policy that we've set up on our Security Director and applied to the vSRX.

6:33 To access the policy, we'll navigate to the Configure tab on the left.

6:38 Then we select Threat Prevention and Policies.

6:47 As you can see, we already have an existing policy in place.

6:51 Let's further inspect the protections being enforced by the applied policy.

6:55 For this demo, our policy is configured to block command and control traffic at threat

7:00 level 8 and above.

7:02 We've also set it to block infected hosts at threat level 8 and above.

7:06 Finally, we've configured our policy to use ATP Cloud for malware detection, and here

7:11 we've chosen to block any and all threats rated at level 8 and above.

7:17 This threat prevention policy applied to the Juniper vSRX firewall is a critical component

7:22 of our defenses, protecting our systems against ransomware attacks, including Royal ransomware.

7:27 It allows us to detect and block malicious traffic as well as the activity of potentially

7:32 infected hosts.

7:33 Which will then prevent the spread of malware throughout our network in the event that one

7:37 of our systems gets compromised, acting like would be malicious threat actors.

7:42 For the demo, we now connect to the victim system via RDP.

7:46 We started Wireshark to monitor network activity.

7:51 To confirm that we have Internet connectivity, we first visit Wikipedia and YouTube.

7:59 Later we will show you that once the vSRX has identified an infected host, the host

8:04 will then be isolated from the network.

8:07 Once that occurs, the infected host will lose its Internet connection.

8:13 As before.

8:14 To launch the attack, we open a command shell.

8:16 With that open, we launch the PowerShell attack as you can see from the Wireshark.

8:25 It was able to download, install the PS1 and royal.exe.

8:33 If we go back to Security Director, we can see that it detects royal.exe with a threat

8:39 level of 10.

8:42 We can click on that file to see more details about the malware, including the system or

8:46 host where it is downloaded.

8:52 We can also use the ATP Cloud dashboard to see more details about the malware.

8:57 After clicking on the malicious file name, we can delve deeper.

9:01 We can see static analysis that Juniper Systems performed.

9:03 We can see behavioral analysis as well, which indicates that the file's behavior does indeed

9:08 resemble ransomware.

9:10 Behavioral analysis also includes details about how the malware deletes, shadow backups,

9:14 and several evasion techniques it employs.

9:17 We can also see some processes being launched from the Behavior Details tab.

9:21 ATP Cloud also includes miter attack techniques.

9:25 It is important to note that the ATP Cloud was able to detect this malware without signatures.

9:30 ATP Cloud uses machine learning combined with static and dynamic analysis enabling Juniper

9:35 to successfully detect this malware.

9:38 Next we can go over to Junos Space Security Director and under the ATP Cloud Host tab,

9:44 we can show you that the infected system has been added to the set of infected hosts.

9:49 Host was identified at threat level 9.

9:55 Earlier recall that we configured the vSRX to block hosts at threat level 8 and above.

10:01 Also here indicated is why the vSRX blocked the host to begin with.

10:05 In this case, due to a malicious file download, if we go back to our host, we can see that

10:11 it no longer has Internet connectivity.

10:41 Once we're sure that the ransomware infected host is free from infection, we will want

10:45 to restore the infected system back to the network.

10:48 To do so, we go to Security Director and click on the infected host.

10:52 To the right of the investigation status.

10:54 We select Resolved Fixed.

10:57 Afterwards, the host status is now clean and the host is connected once again to the network

11:04 and able to operate as before.

11:12 As you watch the restored host once again enjoying Internet connectivity, there's one

11:16 final point we want to make.

11:18 You may be wondering how the host got infected with Juniper vSRX and ATP providing protection.

11:24 It's because we were demonstrating a zero-day attack before the ransomware was known.

11:29 Had we enabled Juniper Sandbox analysis, this attack would have been detected and blocked,

11:34 but then you wouldn't have been able to see the ransomware infect the victim's system.

11:37 And we wouldn't have been able to demonstrate how Juniper's Connected Security solutions

11:42 prevent the further spread of infection in the event that occurs.

11:46 That completes our demo of Royal Ransomware.

11:49 Check out more videos from the Juniper Threat Labs Attack demo series by visiting

11:53 Thanks for watching.

Show more