Royal is a ransomware-as-a-service operated by ROYAL SPIDER, which emerged following the Conti leaks in 2022. Today’s rule matches strings found in Windows and Linux samples of Royal ransomware:
rule MAL_Royal_strings {
meta:
description = "Matches strings found in Windows and Linux samples of Royal ransomware."
last_modified = "2024-01-20"
author = "@petermstewart"
DaysofYara = "20/100"
sha256 = "312f34ee8c7b2199a3e78b4a52bd87700cc8f3aa01aa641e5d899501cb720775"
sha256 = "9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926"
sha256 = "b57e5f0c857e807a03770feb4d3aa254d2c4c8c8d9e08687796be30e2093286c"
strings:
$a = "royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onion"
$b1 = "If you are reading this, it means that your system were hit by Royal ransomware"
$b2 = "Please contact us via :"
$b3 = "In the meantime, let us explain this case"
$b4 = "It may seem complicated, but it is not!"
$b5 = "Most likely what happened was that you decided to save some money on your security infrastructure"
$b6 = "Alas, as a result your critical data was not only encrypted but also copied from your systems on a secure server"
$b7 = "From there it can be published online"
$b8 = "Then anyone on the internet from darknet criminals, ACLU journalists, Chinese government"
$b9 = "and even your employees will be able to see your internal documentation: personal data, HR reviews, internal lawsuitsand complains, financial reports, accounting, intellectual property, and more"
$b10 = "Fortunately we got you covered!"
$b11 = "Royal offers you a unique deal.For a modest royalty(got it; got it ? )"
$b12 = "Try Royal today and enter the new era of data security"
$b13 = "We are looking to hearing from you soon"
condition:
filesize > 2000KB and filesize < 3500KB and
(uint16(0) == 0x5a4d or uint32(0) == 0x464c457f) and
$a and
10 of ($b*)
}
But wait, there’s more! When I was looking at the Linux sample (SHA256: b57e5f0c857e807a03770feb4d3aa254d2c4c8c8d9e08687796be30e2093286c) I found an RSA Public Key block. I don’t know what it’s for, but my rule matches at least one more sample (SHA256: 06abc46d5dbd012b170c97d142c6b679183159197e9d3f6a76ba5e5abf999725) so it might be interesting.
rule HUNT_Royal_RSA_Public_Key {
meta:
description = "Matches an RSA Public Key block found in Royal ransomware Linux samples."
last_modified = "2024-01-20"
author = "@petermstewart"
DaysofYara = "20/100"
sha256 = "b57e5f0c857e807a03770feb4d3aa254d2c4c8c8d9e08687796be30e2093286c"
sha256 = "06abc46d5dbd012b170c97d142c6b679183159197e9d3f6a76ba5e5abf999725"
strings:
$key1 = "-----BEGIN RSA PUBLIC KEY-----"
$key2 = "MIICCAKCAgEAp/24TNvKoZ9rzwMaH9kVGq4x1j+L/tgWH5ncB1TQA6eT5NDtgsQH"
$key3 = "jv+6N3IY8P4SPSnG5QUBp9uYm3berObDuLURZ4wGW+HEKY+jNht5JD4aE+SS2Gjl"
$key4 = "+lht2N+S8lRDAjcYXJZaCePN4pHDWQ65cVHnonyo5FfjKkQpDlzbAZ8/wBY+5gE4"
$key5 = "Tex2Fdh7pvs7ek8+cnzkSi19xC0plj4zoMZBwFQST9iLK7KbRTKnaF1ZAHnDKaTQ"
$key6 = "uCkJkcdhpQnaDyuUojb2k+gD3n+k/oN33Il9hfO4s67gyiIBH03qG3CYBJ0XfEWU"
$key7 = "cvvahe+nZ3D0ffV/7LN6FO588RBlI2ZH+pMsyUWobI3TdjkdoHvMgJItrqrCK7BZ"
$key8 = "TIKcZ0Rub+RQJsNowXbC+CbgDl38nESpKimPztcd6rzY32Jo7IcvAqPSckRuaghB"
$key9 = "rkci/d377b6IT+vOWpNciS87dUQ0lUOmtsI2LLSkwyxauG5Y1W/MDUYZEuhHYlZM"
$key10 = "cKqlSLmu8OTitL6bYOEQSy31PtCg2BOtlSu0NzW4pEXvg2hQyuSEbeWEGkrJrjTK"
$key11 = "v9K7eu+eT5/arOy/onM56fFZSXfVseuC48R9TWktgCpPMkszLmwY14rp1ds6S7OO"
$key12 = "/HLRayEWjwa0eR0r/GhEHX80C8IU54ksEuf3uHbpq8jFnN1A+U239q0CAQM="
$key13 = "-----END RSA PUBLIC KEY-----"
condition:
filesize > 2MB and filesize < 3MB and
(uint16(0) == 0x5a4d or uint32(0) == 0x464c457f) and
all of ($key*)
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Cyber Poking 
One thought on “#100DaysofYARA 2024 – Day 20 – Royal Ransomware”