A new ransomware named Royal has infected Healthcare and Public Healthcare sectors in the US. It is unknown how many successful attacks have occurred but Health Sector Cybersecurity Coordination Center (HC3) have stated that ransoms from $250,000 to over $2 million USD have been demanded.
The group behind the attack, also named Royal, seems to be made up of highly skilled actors from different hacker groups including DEV-0569. Based on the attack processes, its apparent the group started combining tools and techniques from their respective groups before adding their own unique Royal group touches.
Then, it seems that the actors allowed their respective groups to also distribute and use the malware. So, while Royal malware is independent and not available as a ransomware-as-a-service, there are multiple groups behind the recent attacks that use Royal malware.
Royal is ransomware that uses similar attack processes in previously known attacks, such as using Cobalt Strike to get credentials and move through a system before encrypting files. In the first attacks, Royal used BlackCat’s encryptor, and then Zeon before adopting the Royal encryptor. After files are encrypted, a README.TXT ransom note contains a link to negotiate a settlement. The attackers also threaten to release stolen data to the public.
Royal Claims to Have Published 100% of Stolen Data
The Royal ransomware targets window systems and is written in C++ for 64-bit systems. The ransomware deletes all Volume Shadow Copies so a user cannot quickly recover files. Then, it encrypts files by using the AES algorithm.
The key and IV are encrypted in the RSA public key and hard coded into the .exe file. The malware can fully and partially encrypt files based on the size and ‘-ep’ parameter. After the files are encrypted, the file extensions change to ‘royal’. Royal malware is a human operated malware that typically does not auto spread. A HC3 analyst commented:
Royal is a newer ransomware, and less is known about the malware and operators than others. Additionally, on previous Royal compromises that have impacted the HPH sector, they have primarily appeared to be focused on organizations in the United States. In each of these events, the threat actor has claimed to have published 100% of the data that was allegedly extracted from the victim.
Multiple actors are using the ransomware including DEV-0569, a threat actor which could be closely linked to Royal group. DEV-0569 has been known to deliver human operated attacks with innovative methods and techniques such as embedding malicious links in Google Ads. Microsoft researchers have reported that this group also use attack vectors such as an organization’s contact forum to bypass email protections, and hiding malicious files on software sites that look legitimate.
So, if you’re in the healthcare sector be especially wary of suspicious email links, unfamiliar websites and adverts.