Royal Ransomware Targets US Healthcare

Written by

The ransomware group known as Royal has been targeting the healthcare industry in the US, warned the Health Department (HC3) last week.

"HC3 is aware of attacks against the Healthcare and Public Healthcare (HPH) sector," wrote the department in an analyst note last Wednesday.

"Due to the historical nature of ransomware victimizing the healthcare community, Royal should be considered a threat to the HPH sector."

According to the analyst note, requested ransom payment demands ranged from $250,000 to over $2m.

"Royal is an operation that appears to consist of experienced actors from other groups, as there have been observed elements from previous ransomware operations," HC3 wrote.

Additionally, while most known ransomware operators have employed ransomware-as-a-service (RaaS) techniques, HC3 said Royal appears to be a private group without any affiliates while maintaining financial motivation as their goal.

"The group does claim to steal data for double-extortion attacks, where they will also exfiltrate sensitive data," said HC3.

Despite many years of regulation, the fact that healthcare remains the costliest industry for data breaches indicates a significant deficit in cybersecurity funding, as compared to other sectors, said Shawn Surber, senior director of technical account management at Tanium

"This is especially concerning considering virtually any outage or disruption in operations will cause a financial – and often physical – impact in a patient care setting," Surber explained.

After the initial infection, the Royal ransomware group has been observed deploying Cobalt Strike for persistence, harvesting credentials and moving laterally through a system until they ultimately encrypt the files.

"Originally, the ransomware operation used BlackCat's encryptor, but eventually started using Zeon, which generated a ransomware note that was identified as being similar to Conti's," HC3 explained. 

Commenting on the news, Andrew Barratt, vice president at Coalfire, said these attacks are good examples of how threat actors leverage commercially available tools for greater sophistication.

"Their attacks look like they are taking multiple-monetization strategies – with the ability to sell/reuse credentials [and] data and ultimately extort money using ransomware," Barratt told Infosecurity.

"The fact that off-the-shelf tooling used by defenders is being used is both a blessing and a curse. This should be something that defense teams are more easily able to detect. Still, it's being deployed perhaps means the attackers have a degree of confidence that the defenders don't have enough capabilities to spot them."

The HC3 note comes weeks after Colombian healthcare provider Keralty reported a ransomware attack that affected its systems as well as two of its subsidiaries.

What’s hot on Infosecurity Magazine?