US Healthcare Is Under Attack By A Royal Ransomware Threat
This week, the Health Sector Cybersecurity Coordination Center (HC3), which is part of the US Department of Health and Human Service (HHS), issued a report warning the healthcare industry about the threat posed by a new ransomware group that operates under the name “Royal.” This report comes a little over a month after the Biden administration held the second International Counter Ransomware Summit and warned that ransomware attacks are outpacing the United States’ efforts to mitigate them. The Federal Bureau of Investigation (FBI) also published a joint cybersecurity advisory last month that alerted organizations to the danger posed by the Hive ransomware gang.
However, unlike Hive and most other ransomware groups, Royal does not operate according to the Ransomware-as-a-service (RaaS) model. Rather than arming affiliate actors with its ransomware, Royal does its own dirty work, compromising its targets’ networks and spreading its ransomware. According to the HC3 report, the group is likely composted of experienced actors from other ransomware groups based on Royal’s advanced tactics, techniques, and procedures (TTPs).
The group initially began its operations using the ALPHV/BlackCat ransomware gang’s encryptor, then switched to using the ZEON ransomware encryptor. However, in September, the ransomware group branded itself as “Royal” and introduced its own ransomware that encrypts files with the .royal extension. When deployed, the Royal ransomware deletes all Volume Shadow Copies and encrypts network shares in order to block common file recover methods.
However, unlike Hive and most other ransomware groups, Royal does not operate according to the Ransomware-as-a-service (RaaS) model. Rather than arming affiliate actors with its ransomware, Royal does its own dirty work, compromising its targets’ networks and spreading its ransomware. According to the HC3 report, the group is likely composted of experienced actors from other ransomware groups based on Royal’s advanced tactics, techniques, and procedures (TTPs).
The group initially began its operations using the ALPHV/BlackCat ransomware gang’s encryptor, then switched to using the ZEON ransomware encryptor. However, in September, the ransomware group branded itself as “Royal” and introduced its own ransomware that encrypts files with the .royal extension. When deployed, the Royal ransomware deletes all Volume Shadow Copies and encrypts network shares in order to block common file recover methods.
Once the ransomware finishes encrypting victims’ files, it leaves behind a ransom note instructing victims to install the Tor Browser and visit Royal’s victims negotiation site. Like many other ransomware groups, Royal also runs a dedicated leak site (DLS) on the Tor network where it publicizes its attacks for the purpose of double extortion. If victims don’t pay ransom fees, then Royal not only doesn’t hand over the decryption keys, but also publishes exfiltrated copies of the victims’ files. Royal’s ransom fees can range anywhere from $250,000 to over $2 million.
Cybersecurity researchers have observed Royal spreading its ransomware through phishing attacks, network intrusions, and malvertising (malicious advertising) for what appears to be legitimate software but is actually ransomware. In the case of network intrusions, the group often leverages security vulnerabilities to gain a foothold, then deploys Cobalt Strike to ensure persistence, harvest credentials, and move laterally through the compromised network before finally deploying the Royal ransomware.
While the H3C report is primarily intended to warn the healthcare and public healthcare (HPH) sector about this ransomware group, Royal doesn’t limit its attacks to strictly this sector. The ransomware group also attacks a wide range of organizations, including schools, law firms, manufacturers, and non-profits. Royal’s victims are primarily based in the US, but the group has struck organizations in other countries as well. The threat posed by ransomware is only growing, so organizations across all sectors and countries should remain vigilant and implement ransomware mitigation measures.
Cybersecurity researchers have observed Royal spreading its ransomware through phishing attacks, network intrusions, and malvertising (malicious advertising) for what appears to be legitimate software but is actually ransomware. In the case of network intrusions, the group often leverages security vulnerabilities to gain a foothold, then deploys Cobalt Strike to ensure persistence, harvest credentials, and move laterally through the compromised network before finally deploying the Royal ransomware.
While the H3C report is primarily intended to warn the healthcare and public healthcare (HPH) sector about this ransomware group, Royal doesn’t limit its attacks to strictly this sector. The ransomware group also attacks a wide range of organizations, including schools, law firms, manufacturers, and non-profits. Royal’s victims are primarily based in the US, but the group has struck organizations in other countries as well. The threat posed by ransomware is only growing, so organizations across all sectors and countries should remain vigilant and implement ransomware mitigation measures.
