Warning on Royal Ransomware from HHS.

The US Department of Health and Human Services (HHS) has warned of the threat the Royal ransomware poses to the Healthcare and Public Healthcare (HPH) sector.

Royal targets the healthcare sector.

The Royal ransomware first surfaced in September 2022. It appears to be operated by a single group rather than functioning as a ransomware-as-a-service model. A report from Microsoft found that the threat actor uses social engineering to distribute the ransomware:

“The group has been delivering the malware with human-operated attacks and has displayed innovation in their methods by using new techniques, evasion tactics, and post-compromise payloads. The group has been observed embedding malicious links in malvertising, phishing emails, fake forums, and blog comments. In addition, Microsoft researchers have identified changes in their delivery method to start using malvertising in Google ads, utilizing an organization’s contact forum that can bypass email protections, and placing malicious installer files on legitimate looking software sites and repositories.”

Royal’s operators also conduct dual-extortion attacks by stealing their victims’ data before encrypting it:

“Royal is a newer ransomware, and less is known about the malware and operators than others. Additionally, on previous Royal compromises that have impacted the HPH sector, they have primarily appeared to be focused on organizations in the United States. In each of these events, the threat actor has claimed to have published 100% of the data that was allegedly extracted from the victim.”

Industry comment.

Stephan Chenette, Co-Founder and CTO at AttackIQ, offered the following comments:

“This is not the first time the healthcare industry has been of concern in federal warnings. The HHS warning comes immediately after CommonSpirit Health announced a recent ransomware attack exposed the data of over half a million patients. CISA, the FBI and the HHS have also recently issued advisories on healthcare-related threats, such as warnings about the Daixin Team and vulnerabilities in medical devices. Royal differs from other threat groups in that it is a private group without affiliate partners. It has historically issued phishing attacks and embedded malicious links in fake forums and blog comments rather than performing as ransomware-as-a-service (RaaS). 

 “Healthcare organizations must adopt a threat-informed cyber strategy using the MITRE ATT&CK framework to be better prepared for Royal Ransomware attacks. The framework’s catalog helps organizations understand common techniques and tactics threat actors use. Knowing the procedures used by the adversary helps inform organizations’ security programs and assists in building a more resilient, proactive defensive and responsive security program that protects patient information. Additionally, using automated security solutions that safely validate organizations’ defensive controls against ransomware campaigns and threat actors can better prepare the healthcare industry to combat the next Royal threat.”