Healthcare Organizations Warned About Royal Ransomware Attacks
The Health Sector Cybersecurity Coordination Center (HC3) has issued a warning to the healthcare and public health (HPH) sector about Royal ransomware attacks. Royal ransomware is a new ransomware threat that was first observed being used in attacks in September 2022. Attacks have been increasing and organizations in the HPH sector have been targeted.
Many ransomware threat actors run ransomware-as-a-service operations, where affiliates are recruited to conduct attacks for a percentage of the profits; however, Royal ransomware appears to be a private group, whose members have previously worked for other ransomware operations. Microsoft says a threat actor it tracks as DEV-0569 has been observed conducting Royal ransomware attacks, although several other actors are also part of the group.
The threat actors conducting the attacks are experienced and innovative, have been using new techniques and evasion tactics, and deliver a variety of post-compromise payloads. Like most other ransomware operations, Royal ransomware attacks involve data theft, with the threat actors publishing the stolen data if the ransom is not paid. The group is known to use hijacked Twitter accounts to send information to journalists to get media coverage to increase the pressure on victims. The ransom amount is often sizable, ranging from $250,000 to $2 million in the attacks conducted so far.
Once initial access has been gained to a victim’s network, the group deploys Cobalt Strike for persistence, harvests credentials, and moves laterally within networks. Shadow copies are deleted to hamper any attempt to recover files without paying the ransom, sensitive data is exfiltrated, then files are encrypted. Files may be fully or only partially encrypted, with the latter the faster option. Both will prevent files from being opened. An analysis of the ransomware showed the BlackCat ransomware encryptor was initially used, although this has now been changed to the group’s own encryptor (Zeon). The ransom note generated is similar to the note used in Conti ransomware attacks, which suggests there may be a link to that now-defunct ransomware operation.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Various methods are used to gain initial access to victims’ networks. The group uses malvertising – malicious adverts – to direct traffic to a site where a malicious file is downloaded, including Google Ads. The group has also been observed conducting phishing attacks with malicious URLs in the emails, and the malicious URL has been added to a variety of blog and forum posts. Malicious installer files have also been added to repositories and websites that claim to offer free software.
The group has also been observed compromising unpatched software vulnerabilities, vulnerabilities in VPN servers, credential abuse, and compromising Remote Desktop Protocol (RDP). The group also uses social engineering to trick people into installing remote access software in callback phishing attacks, impersonating software providers and food delivery services.
HC3 has shared indicators of Compromise (IoCs) in the alert to help network defenders identify intrusions.
