CISA and the FBI published a joint cybersecurity advisory and shared information about the tactics, techniques, and procedures (TTPs) utilized by the Royal ransomware group and Indicators of Compromise (IoCs) to aid system defenders to better defend against cyberattacks.
Royal Ransomware is a fairly new threat group that was initially noticed executing attacks in 2022. The group is considered to be made of very knowledgeable cybercriminals in doing ransomware attacks, such as operators that belong to Conti Team One before. Conti was a respected ransomware group in the last 3 years and was created by the group responsible for the Ryuk ransomware. Royal in the past utilized the encryptors of other ransomware groups, then turned to having its own, the Royal ransomware in September 2022, and has currently surpassed Lockbit for being the primary ransomware in the market.
Just like the Conti and Ryuk, the Royal ransomware gang focuses on executing attacks within the U.S., particularly critical infrastructure organizations, such as those operating in the medical and public health industry. The group utilizes different ways to obtain preliminary access to victims’ systems. Phishing is the most prevalent preliminary access vector. Phishing is utilized in 67% of identified attacks, where staff at victim companies are misled into accepting a malware loader through email messages having PDF attachments, which sends the Royal ransomware payload. The Royal gang is additionally known to utilize malicious advertisements – malvertising – to bring traffic to sites to download malware.
Remote Desktop Compromise (RDP) is utilized in about 13% of attacks. The group likewise acquires access to systems by means of public-facing apps and purchases access via preliminary access brokers who collect VPN credentials from stealer logs. When access is obtained, the group downloads a variety of resources to reinforce its footing in victims’ systems, then increases privileges and moves side to side, which includes using PsExec for horizontal movement. The group is known to remain persistent in utilizing different remote tracking and management resources, such as Atera,
AnyDesk, and LogMeIn. It was noticed that it utilizes the penetration testing application, Cobalt Strike, and it uses the Ursnif/Gozi for the exfiltration of data. The group utilizes Windows Restart Manager to distinguish the area using or obstructing specific files that are in use or are obstructed by other apps, utilizes the Windows Volume Shadow Replicate service to erase shadow copies to hinder efforts to retrieve files without giving any ransom payment, and extracts information to a U.S. IP address prior to starting the encryption plan.
CISA and the FBI firmly advise taking the following fast action to enhance protection against attacks:
- putting first and remediating identified exploited vulnerabilities
- training the employees to determine phishing efforts
- permitting and applying multifactor authentication
assIoCs and TTPs are comprehensive in the cybersecurity advisory. An Analyst Note on Royal Ransomware was likewise released by the Health Sector Cybersecurity Coordination Sector.
Data Exfiltration Developments in Healthcare Cyberattacks
The Health Sector Cybersecurity Coordination Center (HC3) has published a security alert concerning data exfiltration in medical care cyberattacks, showing the scope of the practice and giving a number of suggested mitigations. Data extraction usually happens when a threat actor has acquired access to a system, increased privileges, and moved laterally. In a cyber kill chain, data exfiltration happens in the final stages and it is the main goal in lots of cyberattacks.
There are a number of reasons for information theft. Nation-state actors frequently steal information for surveillance purposes. Cybercriminal gangs steal medical information because of the ease of monetization using it for extortion. Insiders steal information for financial profit, blackmail, and competitive advantage. When cybercriminal groups first began using ransomware, files were easily encrypted; nevertheless, data exfiltration is common nowadays. Data theft enables ransomware actors to earn from attacks whenever ransoms aren’t paid. Because often it is the threat of exposing stolen information that pushes victims to give payment. With this kind of incentive to pay to avoid data exposure, ransomware groups are actually not encrypting files and are just doing extortion-only attacks.
In the security alert, HC3 focuses on the magnitude to which data exfiltration is happening. HC3 points out that based on the breach notifications filed with the HHS, there were 28.5 million records exposed in the latter half of 2022, which is 21.1 million records more compared to 2019. In the 588 data breaches reported to HHS in 2022, there were over 44 million patient records exposed. A minimum of 24 healthcare ransomware attacks happened in 2022 affecting 289 U.S. hospitals. 70% of the attacks had sensitive data exfiltrated.
Data exfiltration does not only happen during ransomware attacks. Data theft also happens in attacks that involve other kinds of malware, for example, data stealers. A number of cyber threat groups, such as Karakurt, the Donut Leaks, and the Lapsus$, have appeared that focus on data exfiltration and extortion. Nation-state-sponsored Advanced Persistent Threat Actors usually acquire persistent access to systems and stay hidden for years so as to exfiltrate sensitive information over prolonged time periods. WithSecure identified one attack that involved the Lazarus APT group where over 100GB of sensitive information from the medical research and technology industry was stolen prior to being identified. As a lot more companies move from on-site to cloud storage, threat actors have likewise been targeting more cloud resources to steal information, and usually erase cloud backup copies to stop recovery from ransomware attacks.
Data exfiltration is usually the most dangerous part of a healthcare cyberattack. Besides fortifying defenses to stop preliminary access to systems, system defenders ought to be tracking for attempted data exfiltration and must do something to avoid, stop, and restrict data exfiltration. HC3 has given a number of advice in the alert, which include high-level mitigations like combining security awareness and security guidelines, analyzing risks related to every connection with computers, applications, and information, and performing regular audits to confirm that security guidelines are being implemented.
HC3 additionally advises using tracking systems that produce alerts regarding strange data access, data activity, unsanctioned software program and hardware (shadow IT), and unauthorized information access, and making sure records are produced by systems, servers, workstations, email, databases, web apps, firewalls, cloud resources, and authentication services. Those records ought to be handled centrally and carefully checked. Whereas data exfiltration is common, employees ought to be supervised closely, particularly leaving staff. Access to resources ought to be quickly ended and additional attention must be given to the activities of persons about to leave the company.