Royal ransomware is targeting US critical infrastructure

The FBI and CISA has issued a new joint advisory warning of a new ransomware threat: Royal. Royal is a sophisticated ransomware variant that has been targeting critical infrastructure sectors, including communications, healthcare, and public healthcare.

The Department of Health and Human Services issued their own warning in December 2022 after ransomware was found crippling many healthcare organizations across the country.

CISA’s advisory notes that Royal ransomware has been active since September 2022 and has compromised a significant number of organizations. The FBI and CISA believe that Royal is likely the work of a well-organized and experienced ransomware group.

According to the report, Royal threat actors have made ransom demands ranging from approximately $1 million to $11 million USD in Bitcoin. Royal threat actors also engage in double extortion tactics, whereby they threaten to publicly release the encrypted data if the victim does not pay the ransom.

Royal actors have targeted numerous critical infrastructure sectors including, but not limited to, Manufacturing, Communications, Healthcare and Public Healthcare (HPH), and Education.

CISA hopes organizations will take the advisory seriously and strengthen cyber defenses. The advisory provides information on how to identify Royal ransomware and how to mitigate the risk of infection. Organizations are urged to take steps to protect their networks from Royal ransomware, including implementing strong cybersecurity practices, such as using up-to-date antivirus software and firewalls.

According to third-party reporting, Royal actors most commonly (in 66.7% of incidents) gain initial access to victim networks via successful phishing emails. The threat actors are then able to deploy command and control tools to the targeted network, move laterally, exfiltrate valuable data, and encrypt the targeted network’s data.

A downloadable copy of indicators of compromise (IOCs) are available on CISA’s advisory post in XML format. Royal TTPs are also provided.

Organizations that are attacked by Royal ransomware should immediately contact law enforcement and work with a cybersecurity firm to investigate the incident and recover their data, according to CISA.

As reported by TechCrunch, in November 2022, Royal ransomware was reported to be the most prolific ransomware operation, overtaking Lockbit. Recent data shows that Royal was responsible for at least 19 ransomware attacks in February, behind 51 attacks attributed to LockBit, and 22 attacks linked to Vice Society.

To help organizations prepare and assess their network for cybersecurity threats, CISA provides two free cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.