HC3 Shares Intelligence on BlackCat and Royal Ransomware Operations
The Health Sector Cybersecurity Coordination Center (HC3) has shared threat intelligence on two sophisticated and aggressive ransomware operations – Blackcat and Royal – which pose a significant threat to the healthcare and public health (HPH) sector.
In 2021 and early 2022 the ransomware threat landscape was dominated by Conti, a large, professional ransomware-as-a-service (RaaS) operation; however, the operation was disbanded in 2022. While the Conti RaaS no longer operates under that name, the members of that group are still active but are now spread across several smaller semi-autonomous and autonomous ransomware groups. These smaller ransomware operations are more agile, harder to track, and attract less attention from law enforcement.
The BlackCat ransomware operation, also known as AlphaV, was first detected in November 2021 and is believed to be the successor to Darkside/BlackMatter ransomware, with the BlackCat admin believed to be a former member of the infamous REvil threat group. BlackCat is a RaaS operation that engages in triple extortion, involving data theft, file encryption, and distributed denial of service (DDoS) attacks on victims. The group leaks stolen data on its data leak site and conducts DDoS attacks when victims fail to pay the ransom or end negotiations. The group primarily targets organizations in the United States.
Unlike some ransomware operations that actively encourage attacks on the healthcare sector, BlackCat has operating rules that prohibit affiliates from conducting attacks on hospitals, medical institutions, and ambulance services, although private clinics and pharmaceutical companies are not off-limits. HC3 has warned that while these operating rules exist, they are not set in stone, and ransomware gangs that have similarly prohibited attacks on healthcare organizations have broken their promises in the past. While the operation is far smaller than Conti, the group has conducted a high number of attacks, with 60 organizations attacked in the first 4 months of operation.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Royal is a more recent addition to the ransomware threat landscape, having first been observed conducting attacks in early 2022. The group is similarly believed to include former Conti members. Initially, Royal used the same encryptor as BlackCat, then switched to its own encryptor in September 2022. Royal is now the most active ransomware operation, having surpassed Lockbit. Royal engages in double extortion tactics involving data theft and file encryption and threatens to publish stolen data if the ransom is not paid. Like Conti, Royal is known to conduct callback phishing attacks to gain initial access to networks. Callback phishing starts with a benign email containing a telephone number, and social engineering techniques are used to convince the victim to call the provided number and grant access to their device. The group is also known to conduct attacks using an encryptor that masquerades as healthcare patient data software housed on legitimate-looking software download sites. In contrast to BlackCat, the healthcare industry is not off-limits, and several attacks have been conducted on healthcare organizations. Consequently, Royal poses a significant threat to the HPH sector
HC3 has shared detailed information for network defenders on the tactics, techniques, and procedures used by both operations, along with Indicators of Compromise (IoCs), Yara rules, and recommended mitigations.
