Grinning skull wearing a crown on black background

Royal ransomware vulnerability to healthcare providers is highlighted by HHS

The Royal ransomware group is a relatively new gang that first surfaced in September, and the U.S. Department of Health and Human Services (HHS) has advised hospitals and organisations in the healthcare sector to be on the alert for cyberattacks from this group.

The ransomware gang has been responsible for several attacks on American healthcare organisations, according to a new analyst report released on Wednesday by the Health Sector Cybersecurity Coordination Center (HC3) at HHS.

The HC3 stated in its analyst note that Royal ransomware should be viewed as a danger to the HPH sector because to the historical history of ransomware targeting the healthcare community:

Since its appearance, HC3 is aware of attacks against the Healthcare and Public Healthcare (HPH) sector. Due to the historical nature of ransomware victimizing the healthcare community, Royal should be considered a threat to the HPH sector.

Based on earlier successful operations, this ransomware gang has its current focus on healthcare companies in the United States. Additionally, to this point, Royal has said that they have posted all information apparently stolen from the victims’ systems online following each healthcare hack.

Royal Ransomware activities increased in September

A private organisation without government ties, the Royal Ransomware group is made up of skilled threat actors that have previously worked for other organisations. Royal hackers were initially discovered in January 2022, and since September 2022, they have been rapidly increasing their malicious activities.

This ransomware group, like others, use social engineering to get victims to install remote access software. Responding to phishing attacks in which the attackers pose as software developers and food delivery companies.

Royal will demand ransom payments of $250,000 to $2 million after attacking their victims and encrypting systems on their business network.

One more of Royal’s unusual strategy is the use of stolen Twitter accounts to tweet details about compromised targets to journalists to have the attack highlighted by media sources and put more pressure on their victims.

These tweets will be targeted at journalists and business owners and will include a link to the allegedly stolen data from victims’ networks before to executing the encryptor.

Attacks of royal ransomware
Attacks of royal ransomware (ID Ransomware)

The operation once employed an encryptor from the BlackCat ransomware group, but now employs one from Zeon, which, according to HHS, generate a ransomware note that has been detected as being identical to Conti’s.

Due to disbanding in May, Conti was one of the most active ransomware groups, conducting high-profile attacks on organisations such as the Costa Rica government.

A README text file that also includes a hyperlink to the victim’s own negotiation website has the ransom notes. In September 2022, this notation was later changed to Royal.

Zeon ransom note
Zeon ransom note (BleepingComputer)

When a file is encrypted, the ransomware changes the file extension to “. royal” and tries to erase all copies of the data on the system.

Attacks on the healthcare system

The federal government has warned people on other ransomware attacks that are well-known for specifically targeting healthcare facilities all around the United States. Recent warnings warned Healthcare and Public Health (HPH) institutions about threat actors using the ransomware payloads Maui and Zeppelin.

In a statement, CommonSpirit Health stated that a recent ransomware attack had exposed the data of over 500,000 patients. Stephan Chenette, CTO of AttackIQ, pointed out that the alert was sent shortly after that statement.

There is Professional Finance Company Inc (PFC), a full-service receivables management company situated in Colorado. A late-February Quantum ransomware attack that resulted in a data breach that affected 657 healthcare organisations was disclosed in a data breach notification in July.

The attack had the ability to have a considerably bigger effect. PFC helps tens of thousands of healthcare, government, and utility companies in the US to ensure timely payment of bills from clients.

Generally, organisations should be aware that ransomware attackers often use critical attack vectors such as phishing, remote desktop protocol (RDP), credential misuse, known vulnerabilities, and VPN servers.

The updated HC3 threat analysis should be carefully read by covered organisations as it covers IOCs, attack techniques, and other pertinent active defences against the Royal attack.

Help your colleagues keep a security-first mindset and boost your human firewall by starting your Phishing Tackle security awareness training today with our two-week free trial.

Recent posts