The US Department of Health and Human Services (HHS) has warned of an ongoing Royal ransomware attack targeting healthcare facilities in the country.
โWhile most of the known ransomware operators have run ransomware-as-a-service, Royal appears to be a private group with no affiliations while maintaining financial motivation as a goal,โ said the agency. Health Sector Cybersecurity Coordination Center (HC3) said: Said [PDF].
โThe group claims to steal data for a double extortion attack, and it also steals sensitive data.โ
Royal ransomware, per Fortinet FortiGuard Lab, is said to be active from at least the beginning of 2022. The malware is a 64-bit Windows executable written in C++ and launched via command line. Target environment.
In addition to deleting volume shadow copies on the system, Royal also utilizes the OpenSSL encryption library to encrypt files to the AES standard and add a “.royal” extension.
Last month, Microsoft revealed that the group it tracks under the name DEV-0569 has been observed deploying a ransomware family in a variety of ways.
This includes malicious links delivered to victims through malicious ads, fake forum pages, blog comments, or phishing emails leading to malicious installer files for legitimate apps such as Microsoft Teams and Zoom. will be
These files are known to contain a malware downloader called BATLOADER. This downloader is used to exploit legitimate remote management tools such as Syncro to deploy Cobalt Strike, as well as deliver various payloads such as Gozi, Vidar, and BumbleBee for subsequent ransomware deployments. will be
Ransomware gangs, which only emerged this year, are believed to be composed of experienced threat actors from other operations, demonstrating that the threat landscape is constantly evolving.
โInitially, the ransomware operation used BlackCatโs encryption tools, but eventually started using Zeon and generated ransomware notes that were identified as similar to those of Conti. ‘ said HHS. “This memo he later changed to Royal in September 2022.”
The agency further noted that the Royal ransomware attack on healthcare focused primarily on US organizations, with payment demands ranging from $250,000 to $2 million.