Getty Images

HC3: Royal Ransomware Impacts Healthcare Sector

Royal ransomware appears to consist of experienced threat actors from other ransomware groups, HC3 noted.

A new analyst note from the Health Sector Cybersecurity Coordination Center (HC3) shed light on Royal ransomware, a human-operated ransomware variant first observed in September 2022.

“Due to the historical nature of ransomware victimizing the healthcare community, Royal should be considered a threat to the HPH sector,” HC3 noted.

Royal ransomware is known to make steep ransom demands, ranging from $250,000 to $2 million. In addition, the operation is believed to consist of experienced threat actors from other groups.

“While most of the known ransomware operators have performed Ransomware-as-a-Service, Royal appears to be a private group without any affiliates while maintaining financial motivation as their goal,” the analyst note stated.

“The group does claim to steal data for double-extortion attacks, where they will also exfiltrate sensitive data.”

Like other ransomware operators, Royal is known to deploy Cobalt Strike, harvest credentials, and move laterally through a target system once compromised. In a November blog post, Microsoft Security Threat Intelligence said that it has observed the threat actor it tracks as DEV-0569 deploying Royal ransomware.

Specifically, the group has been observed executing phishing attacks and embedding malicious links in fake forums and blog comments. In addition, Microsoft observed the group “using malvertising in Google ads, utilizing an organization’s contact forum that can bypass email protections, and placing malicious installer files on legitimate looking software sites and repositories,” the analyst note stated.

Royal is a relatively new ransomware variant, and researchers are still working to figure out the technical details and indicators of compromise.

“Additionally, on previous Royal compromises that have impacted the HPH sector, they have primarily appeared to be focused on organizations in the United States,” HC3 said.

“In each of these events, the threat actor has claimed to have published 100 [percent] of the data that was allegedly extracted from the victim.”

Aside from the techniques used by Royal ransomware, HC3 noted the growing prevalence of certain attack vectors associated with ransomware, such as phishing, Remote Desktop Protocol (RDP) compromises, and compromises of known vulnerabilities.

In other ransomware news, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) recently released a joint cybersecurity advisory about Cuba ransomware. The FBI and CISA have observed threat actors using Cuba ransomware against financial services organizations, technology companies, manufacturers, government facilities, and healthcare organizations.

Organizations can strengthen their security defenses by implementing multifactor authentication (MFA), keeping operating systems up to date, and maintaining offline backups, among other mitigation tactics.

Next Steps

Dig Deeper on Cybersecurity strategies