Royal Ransomware Threat Targets the U.S. Healthcare System
Reading Time: 2 minutes

Royal Ransomware threat targets the U.S. healthcare system, and the US Department of Health and Human Services (HHS) warns about the lurking danger. 

According to Health Sector Cybersecurity Coordination Center (HC3), “While most of the known ransomware operators have performed Ransomware-as-a-Service, Royal appears to be a private group without any affiliates while maintaining financial motivation as their goal. The group does claim to steal data for double-extortion attacks, where they will also exfiltrate sensitive data.”

Fortinet FortiGuard Labs has been tracking files named “Royal ransomware” since the start of 2022. The malware is a 64-bit Windows executable written in C++ and launched via the command line, which means that it’s activated when an individual with access to the system triggers it.

Royal is a powerful file encryption utility, which supports files encrypted in OpenSSL and appended with a “.royal” extension.

Last month, Microsoft said that a group it’s tracking called DEV-0569 has been observed deploying the ransomware family through many different methods.

This includes malicious links delivered to victims via malicious ads, fake forum pages, blog comments, or by phishing emails that lead to corrupt installation files for legitimate apps like Microsoft Teams or Zoom.

Files like the ones we uncovered are known to contain malware downloaders like BATLOADER, which deliver payloads like Gozi, Vidar, BumbleBee, and more. They also abuse remote administration tools in order to deploy Cobalt Strike, followed by ransomware deployment.

The ransomware gang which appeared first last year is believed to consist of experienced actors from other operations. This speaks to the ever-evolving nature of the threat landscape.

“Originally, the ransomware operation used BlackCat’s encryptor; but eventually, Zeon was released to generate the notes for certain ransomware variants. The Royal note was identified in September 2022.”

The Royal ransomware attacks on healthcare organizations have primarily focused on those based in the U.S., with final payouts set at $250,000 to $2 million.

Related Articles:
Apple Provides End-to-end Encryption For Most iCloud Services
Why Holidays Are The Most Wonderful Time of the Year for Fraudsters?
Vice Society Ransomware Gang Targeted Dozens of Schools in 2022