The U.S. Department of Health and Human Services (HHS) has released a warning about ongoing Royal ransomware attacks that target healthcare organizations in the country.
What Is Known about the Royal Ransomware Attacks?
Royal ransomware is a lesser known ransomware that was first observed in September 2022. In addition to demanding a ransom amount of $250,000 U.S. Dollars (USD) to over $2 million USD, the group also claims to steal data for double-extortion attacks. It appears that the group doesn’t operate under the ransomware-as-a-service model but is rather a private group. The attack scenario usually includes an additional Cobalt Strike payload for persistence, harvesting credentials, and moving laterally through an infected system.
“Royal is an operation that appears to consist of experienced actors from other groups, as there have been observed elements from previous ransomware operations,” as per the alert. It seems that initially the ransomware operation utilized BlackCat, but eventually started using Zeon. The ransomware note identified in these attacks appeared to be similar to Conti ransomware. As seen in most ransomware attacks, the ransom notes come in a README.TXT, containing a link to the victim’s private negotiation page. The note was later changed to Royal in September 2022, the HHS said.
Currently, several threat actors are distributing the Royal ransomware, including a group known as DEV-0569. “The group has been delivering the malware with human-operated attacks and has displayed innovation in their methods by using new techniques, evasion tactics, and post-compromise payloads,” the alert noted. A report from Microsoft also said that the group has started using malvertising in Google ads, using a target’s contact forum to bypass email protections, and putting malicious installer girls on software sites and repositories.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: