Analysis
Attacks and Vulnerabilities
Critical infrastructure
Malware, Phishing & Ransomware
Medical
News

HC3 warns of human-operated Royal ransomware targeting healthcare, public health sector

December 09, 2022
HC3 warns of human-operated Royal ransomware targeting healthcare, public health sector

The U.S. Department of Health & Human Services Health Sector Cybersecurity Coordination Center (HC3) provided on Wednesday details of human-operated Royal ransomware, initially observed this year and now increased in appearance. It has demanded ransoms up to millions of dollars. Since its appearance, HC3 has been aware of attacks against the healthcare and public health (HPH) sector. 

Due to the historical nature of ransomware victimizing the healthcare community, Royal should be considered a threat to the HPH sector, the HC3 said in its analyst note. 

“Royal ransomware was first observed in September 2022. Once infected, the requested demand for payment has been seen to range anywhere from $250,000 U.S. Dollars (USD) to over $2 million USD. Royal is an operation that appears to consist of experienced actors from other groups, as there have been observed elements from previous ransomware operations,” the HC3 said. “While most of the known ransomware operators have performed ransomware-as-a-service, Royal appears to be a private group without any affiliates while maintaining financial motivation as their goal. The group does claim to steal data for double-extortion attacks, where they will also exfiltrate sensitive data.”

Once a network has been compromised, they will perform activities commonly seen from other operations, including deploying Cobalt Strike for persistence, harvesting credentials, and moving laterally through a system until they ultimately encrypt the files, the HC3 identified. “Originally, the ransomware operation used BlackCat’s encryptor, but eventually started using Zeon, which generated a ransomware note that was identified as being similar to Conti’s. The ransom notes appear in a README[dot]TXT,which also contains a link to the victim’s private negotiation page. This note was later changed to Royal in September 2022,” it added. 

Available details reveal that the Royal ransomware is a 64-bit executable that is written in C++ and targets window systems. The ransomware works to delete all Volume Shadow Copies, which provides a point-in-time copy of a file. 

“With these, you can quickly recover deleted or changed files stored on a network. It will encrypt the network shares that are found on the local network and the local drives,” the HC3 said. “The files are encrypted with the AES algorithm, with the key and IV being encrypted in the RSA public key, which is hard coded into the executable. The malware can either fully or partially encrypt a file based on its size and the ‘-ep’ parameter. Once the files are encrypted, it will change the extension of the files to ‘.royal,’” it added. 

The HC3 notes that multiple hackers have been spreading Royal ransomware, but a November Microsoft report identified that it is also being distributed from DEV-0569. “The group has been delivering the malware with human-operated attacks and has displayed innovation in their methods by using new techniques, evasion tactics, and post-compromise payloads. The group has been observed embedding malicious links in malvertising, phishing emails, fake forums, and blog comments,” the HC3 said. 

In addition, Microsoft researchers have identified changes in their delivery method to start using malvertising in Google ads, utilizing an organization’s contact forum that can bypass email protections, and placing malicious installer files on legitimate looking software sites and repositories.

Microsoft identified instances involving DEV-0569 infection chains that ultimately facilitated human-operated ransomware attacks distributing Royal ransomware. “Based on tactics observed by Microsoft, ransomware attackers likely gained access to compromised networks via a BATLOADER-delivered Cobalt Strike Beacon implant. DEV-0569’s widespread infection base and diverse payloads likely make the group an attractive access broker for ransomware operators,” it said in its post.

The HC3 note pointed out that Royal is a newer ransomware, and less is known about the malware and operators than others. “Additionally, on previous Royal compromises that have impacted the HPH sector, they have primarily appeared to be focused on organizations in the United States. In each of these events, the threat actor has claimed to have published 100% of the data that was allegedly extracted from the victim,” it added. 

Outside of the techniques addressed in the report, HC3 continues to see attack vectors frequently associated with ransomware using phishing, Remote Desktop Protocol (RDP) compromises and credential abuse, compromises of exploited vulnerabilities, such as VPN servers, and compromises in other known vulnerabilities. 

Last month, the HC3 provided the healthcare sector with an analysis of the Iranian cyber attack landscape, Iranian cyber threat hackers, and cyberattacks in the news. The HC3 document also throws light on the attack analysis adopted, tactics, techniques, and procedures (TTPs) used, and potential mitigations used by these hacker groups.

Furthermore, in November, the Federal Bureau of Investigation (FBI), CISA, and the Department of Health and Human Services (HHS) rolled out a joint cybersecurity advisory (CSA) to disseminate known Hive IOCs (indicators of compromise) and TTPs (tactics, techniques, and procedures) identified through FBI investigations as recently as this month. Before that, in October, U.S. cybersecurity agencies and the HHS published a CSA outlining threats from the Daixin cybercrime group.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights