The United States Department of Health and Human Services (HHS) issued a new warning for healthcare organizations for the cybercriminal gang known as Royal Ransomware. Royal is ransomware first observed in 2022 and has increased in frequency demanding millions of dollars, per the report.
Once targets are successfully infected with the Royal ransomware, the ransom can range anywhere from $250,000 to $2 million, per the Health Sector Cybersecurity Coordination Center (HC3) analyst note.
Researchers believe that Royal is financially motivated, without any affiliation to other known cybercriminal groups or nation-states. The group has threatened data exfiltration, in what is referred to as a “double extortion attack.”
Royal follows the tactics of many other ransomware cybercriminal groups, deploying tools such as Cobalt Strike for persistence, harvesting credentials, and moving laterally throughout the target network to encrypt files. The ransom notes are left in a README.txt file with a private negotiation page link.
While the encryptor was originally Zeon, it is now updated to Royal in September 2022. Once the files are encrypted, it will change the extension of all files to “.royal”.
Where Royal deviates from other groups is that it uses hacked Twitter accounts to “tweet information on compromised targets to journalists”, which puts additional media scrutiny and pressure on the victims to respond.
Healthcare cybersecurity incidents unprecedented
This alert comes as the healthcare industry globally is under increasing pressure from ransomware groups. In October, the Daixin Team cybercriminal group targeted healthcare in a joint bulletin from CISA and the FBI. Also in October, CommonSpirit Health, the second-largest non-profit hospital chain in the US suffered a ransomware attack.
Researchers with Recorded Future found that 25% of all ransomware attacks in 2022 affect the healthcare industry.
Ransomware attacks against the healthcare industry are potentially life-threatening to patients under care, as they can delay surgeries and force patient relocations.
Discover more from Cybersecurity Careers Blog
Subscribe to get the latest posts sent to your email.
You must be logged in to post a comment.