The attacks, delivered in a variety of ways, are attributed to a group Microsoft tracks as DEV–0569 – a temporary name, as the origin and identity of the group behind the activity is still uncertain.
Some of the campaigns deliver Royal ransomware using a method commonly associated with cyberattacks; phishing emails used to deliver a malicious attachment, in this case, containing Batloader backdoor malware, which is used to download the ransomware payload.
This isn't the only phishing method that the Royal ransomware attackers use to deliver the initial payload. Microsoft also notes that it's delivered via emails with links to what pose as legitimate installers and updates for commonly used business applications. Downloading these fake updates installs the backdoor, which is later used to deliver malware.
More unusual techniques include using contact forms to gain access to targets and deliver malware. DEV-0569 isn't the first ransomware operation to distribute attacks in this way, but the attack method is still an uncommon one – and one which defenders may not consider.
The attackers send messages to the targets via the contact forms on the targets' own websites, claiming to be from a national financial authority. If the victim responds to the message, the attackers reply again and attempt to trick the victim into clicking a link which installs Batloader.
Recently, the attackers have been seen leveraging Google ads to help deliver malware via malvertising links which allow attackers to track which users and which devices click links. These links are used to identify potential targets and distribute the Batloader payload.
Microsoft says it has reported this abuse to Google for awareness and consideration for action. ZDNET has contacted Google but is yet to receive a reply at the time of publication.
In addition to malvertising and phishing links, it's also reported that DEV-0569 has performed 'hands-on' human operated attacks to install ransomware, gaining access to compromised networks exploiting vulnerabilities and remote access tools to manually download the Royal payload.
Microsoft's researchers note "DEV-0569's widespread infection base and diverse payloads likely make the group an attractive access broker for ransomware operators" – meaning that even if they didn't install their own ransomware, they could sell access to networks to ransomware operators and other malicious cyber-threat groups.
The attackers have also been witnessed using open-source tools in attempts to disable antivirus software to make it harder for their malicious activity to be detected.
According to Microsoft, it's likely the group will continue to breach networks using a variety of different methods. But there are actions that can be taken to avoid falling victim to attacks.
These include building resilience against email threats by educating users about identifying social-engineering attacks and preventing malware infection – and providing users with a method for reporting suspected attacks.
It's also recommended that organizations practice the principle of least-privilege and maintain credential hygiene – in other words, only providing accounts with the access they absolutely need for that person to do their job, and to ensure that the account is secured with a strong password and multi-factor authentication. These measures can help prevent attackers from entering and moving around the network.
Microsoft also suggests that organizations turn on tamper-protection features to prevent attackers from stopping security services.