The Health Sector Cybersecurity Coordination Center (HC3) has published an alert to the healthcare and public health (HPH) sector concerning Royal ransomware attacks. This new ransomware threat was initially noticed being utilized in attacks in September 2022. Attacks increased even targeting organizations in the HPH sector.
A lot of ransomware threat actors operate ransomware-as-a-service and recruit affiliates to perform attacks for a fraction of the earnings. But Royal ransomware seems to be a private gang with members formerly doing work for other ransomware operations. Microsoft states that it tracked a threat actor identified as DEV-0569 which conducted Royal ransomware attacks. But there are some other actors that are part of the group as well.
The threat actors performing the attacks are seasoned and inventive. They are using new methods and evasion strategies, and provide different post-compromise payloads. Similar to many other ransomware campaigns, Royal ransomware attacks entail the theft of data, which the threat actors post publicly when the ransom payment is not given. The group uses hijacked Twitter accounts to transmit information to writers to get media exposure and put more pressure on victims. The amount of ransom demand is usually big. $250,000 to $2 million had been demanded by the attackers to date.
As soon as preliminary access is obtained to a victim’s system, the group uses Cobalt Strike for persistence, collects credentials, and moves laterally inside the networks. The attackers delete shadow copies to stop any effort to retrieve files without giving ransom payments. They extract sensitive information and then encrypt the files. Files can be completely or partially encrypted. The latter is the easier option. Both will make the files inaccessible. A review of the ransomware revealed that the group used the BlackCat ransomware encryptor at first. The group has already changed this to Zeon, its own encryptor. The ransom note created is the same as the note of the Conti ransomware group, which indicates a connection to the now-extinct ransomware operation.
Different methods are employed to get preliminary access to victims’ systems. The group uses ads like Google Ads for malvertising or malicious advertising to direct visitors to a website that downloads a malicious file. The group has additionally been seen engaging in phishing attacks. Malicious URLs are included in email messages, which lead to different blog and forum posts when clicked. Malicious installer files were likewise added to websites that offer free software programs.
The group was also found to exploit unpatched software vulnerabilities, engage in credential abuse, exploit vulnerabilities in VPN servers, and compromise Remote Desktop Protocol (RDP). The group additionally utilizes social engineering to deceive people into downloading remote access software for callback phishing attacks, impersonating software companies and food service providers.
HC3 has published the indicators of Compromise (IoCs) in the warning to enable system defenders to recognize attacks.