Ransomware, Threat Management, Vulnerability Management

HHS warns Royal ransomware threat targeting healthcare providers

HHS headquarters
HHS is once again issued an alert about a ransomware group targeting the health sector, this one called "Royal." (Library of Congress)

Since the emergence of the human-operated ransomware threat group known as Royal in September, the Department of Health and Human Services Cybersecurity Coordination Center has been made aware of targeted cyberattacks against the healthcare sector.

Royal-based attacks have steadily increased in appearance over the last three months with ransom demands ranging from $250,000 to more than $2 million.

Analyses of successful compromises of healthcare entities confirm the group appears focused on U.S. organizations. Further, in each of these exploits, Royal “has claimed to have published 100% of the data that was allegedly extracted from the victim.”

Like most ransomware groups, Royal is financially motivated and has been observed exfiltrating sensitive data, “deploying Cobalt Strike for persistence, harvesting credentials, and moving laterally through a system until they ultimately encrypt the files.”

For HC3, “due to the historical nature of ransomware victimizing the healthcare community, Royal should be considered a threat to the health and public health sectors.”

The alert joins three other HC3 alerts on Hive, Lorenz, and Venus ransomware, issued within the last month as these targeted threats continue to plague the healthcare sector.

Information on Royal is limited given the newness of the group. But what’s clear is that the operation appears to be run by experienced threat actors from other cybercriminal groups, as there are shared elements in its tactics and malware that are similar to previous ransomware operations.

However, the group appears to be a private group without affiliate partners and does not perform as ransomware-as-a-service (RaaS). HC3 warns that multiple actors are spreading Royal ransomware and is also being distributed from DEV-0569.

“DEV-0569 notably relies on malvertising, phishing links that point to a malware downloader posing as software installers or updates embedded in spam emails, fake forum pages, and blog comments,” according to a Microsoft analysis. In one attack method, the threat was observed using contact forms on the targeted entity’s website to deliver phishing links.

At first, the Royal operation used BlackCat’s encryptor, but they’ve since transitioned to using Zeon with a ransomware note identified with similarities to the Conti group. Notably, both Zeon and Conti were notorious for highly targeted attacks against the healthcare sector.

Conti has since disbanded, while Health I-SAC has warned Zeon is impersonating software solutions and targeting the healthcare sector aimed at weaponizing trust and exploiting security failures within the enterprise environment.

Further, Royal ransomware has been observed deleting all Volume Shadow copies as possible to prevent victims from quickly recovering deleted or modified files on the network. The malware also encrypts network shares on the local network and drives with “the AES algorithm, with the key and IV being encrypted in the RSA public key, which is hard-coded into the executable.”

The group “has displayed innovation in their methods” by leveraging evasion tactics, malvertising in malicious links, new techniques, and post-compromise payloads. Royal has also been observed “embedding malicious links in malvertising, phishing emails, fake forums, and blog comments.” 

Most recently, Microsoft found the group “using malvertising in Google ads, utilizing an organization’s contact forum that can bypass email protections, and placing malicious installer files on legitimate looking software sites and repositories.”

Overall, entities are reminded that ransomware attackers commonly exploit key vectors, phishing, remote desktop protocol (RDP), credential abuse, known vulnerabilities, and VPN servers.

Covered entities are being urged to review the new HC3 threat analysis, which contains IOCs, attack methods, and other relevant proactive measures providers can take to defend against the Royal threat.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.