Since the emergence of the human-operated ransomware threat group known as Royal in September, the Department of Health and Human Services Cybersecurity Coordination Center has been made aware of targeted cyberattacks against the healthcare sector.
Royal-based attacks have steadily increased in appearance over the last three months with ransom demands ranging from $250,000 to more than $2 million.
Analyses of successful compromises of healthcare entities confirm the group appears focused on U.S. organizations. Further, in each of these exploits, Royal “has claimed to have published 100% of the data that was allegedly extracted from the victim.”
Like most ransomware groups, Royal is financially motivated and has been observed exfiltrating sensitive data, “deploying Cobalt Strike for persistence, harvesting credentials, and moving laterally through a system until they ultimately encrypt the files.”
For HC3, “due to the historical nature of ransomware victimizing the healthcare community, Royal should be considered a threat to the health and public health sectors.”
Information on Royal is limited given the newness of the group. But what’s clear is that the operation appears to be run by experienced threat actors from other cybercriminal groups, as there are shared elements in its tactics and malware that are similar to previous ransomware operations.
However, the group appears to be a private group without affiliate partners and does not perform as ransomware-as-a-service (RaaS). HC3 warns that multiple actors are spreading Royal ransomware and is also being distributed from DEV-0569.
“DEV-0569 notably relies on malvertising, phishing links that point to a malware downloader posing as software installers or updates embedded in spam emails, fake forum pages, and blog comments,” according to a Microsoft analysis. In one attack method, the threat was observed using contact forms on the targeted entity’s website to deliver phishing links.
At first, the Royal operation used BlackCat’s encryptor, but they’ve since transitioned to using Zeon with a ransomware note identified with similarities to the Conti group. Notably, both Zeon and Conti were notorious for highly targeted attacks against the healthcare sector.
Conti has since disbanded, while Health I-SAC has warned Zeon is impersonating software solutions and targeting the healthcare sector aimed at weaponizing trust and exploiting security failures within the enterprise environment.
Further, Royal ransomware has been observed deleting all Volume Shadow copies as possible to prevent victims from quickly recovering deleted or modified files on the network. The malware also encrypts network shares on the local network and drives with “the AES algorithm, with the key and IV being encrypted in the RSA public key, which is hard-coded into the executable.”
The group “has displayed innovation in their methods” by leveraging evasion tactics, malvertising in malicious links, new techniques, and post-compromise payloads. Royal has also been observed “embedding malicious links in malvertising, phishing emails, fake forums, and blog comments.”
Most recently, Microsoft found the group “using malvertising in Google ads, utilizing an organization’s contact forum that can bypass email protections, and placing malicious installer files on legitimate looking software sites and repositories.”
Overall, entities are reminded that ransomware attackers commonly exploit key vectors, phishing, remote desktop protocol (RDP), credential abuse, known vulnerabilities, and VPN servers.
Covered entities are being urged to review the new HC3 threat analysis, which contains IOCs, attack methods, and other relevant proactive measures providers can take to defend against the Royal threat.