DEV-0569

DEV-0569 is referenced in connection with Royal ransomware activity. Royal has compromised U.S. and international organizations since approximately September 2022 and has targeted more than 350 known victims worldwide, including organizations in Manufacturing, Communications, Healthcare and Public Healthcare, and Education. FBI and CISA reported ransom demands ranging from approximately $1 million to $11 million in Bitcoin, with total demands exceeding $275 million. Royal operates a double-extortion model, exfiltrating data before encrypting systems and threatening publication on a leak site if payment is not made. Observed initial access vectors include phishing, including malicious PDFs and malvertising; RDP compromise; exploitation of public-facing applications; and possibly access brokers using stolen VPN credentials. Tradecraft described in the reporting includes use of a custom-made encryptor, partial encryption to accelerate impact and reduce detection, Chisel for tunneling/C2, possible use of Qakbot C2 infrastructure, RDP and PsExec for lateral movement, and AnyDesk, LogMeIn, and Atera for persistence. Defense evasion and impact techniques include modifying Group Policy Objects to disable antivirus, using legitimate administrative accounts, deleting Volume Shadow Copies via vssadmin.exe, deleting Windows event logs, and using batch files to create admin users, force policy updates, set registry keys, and execute ransomware. Royal ransom notes require victims to communicate through a Tor .onion site rather than including payment instructions in the initial note. The content also states that Royal evolved from earlier iterations that used Zeon as a loader, and that there were indications of a possible rebrand or spinoff, with BlackSuit noted as sharing coding characteristics similar to Royal. No additional aliases or sub-groups for DEV-0569 are directly provided beyond its association with Royal ransomware.