US Healthcare Is Under Attack By A Royal Ransomware Threat
However, unlike Hive and most other ransomware groups, Royal does not operate according to the Ransomware-as-a-service (RaaS) model. Rather than arming affiliate actors with its ransomware, Royal does its own dirty work, compromising its targets’ networks and spreading its ransomware. According to the HC3 report, the group is likely composted of experienced actors from other ransomware groups based on Royal’s advanced tactics, techniques, and procedures (TTPs).
The group initially began its operations using the ALPHV/BlackCat ransomware gang’s encryptor, then switched to using the ZEON ransomware encryptor. However, in September, the ransomware group branded itself as “Royal” and introduced its own ransomware that encrypts files with the .royal extension. When deployed, the Royal ransomware deletes all Volume Shadow Copies and encrypts network shares in order to block common file recover methods.
Cybersecurity researchers have observed Royal spreading its ransomware through phishing attacks, network intrusions, and malvertising (malicious advertising) for what appears to be legitimate software but is actually ransomware. In the case of network intrusions, the group often leverages security vulnerabilities to gain a foothold, then deploys Cobalt Strike to ensure persistence, harvest credentials, and move laterally through the compromised network before finally deploying the Royal ransomware.
While the H3C report is primarily intended to warn the healthcare and public healthcare (HPH) sector about this ransomware group, Royal doesn’t limit its attacks to strictly this sector. The ransomware group also attacks a wide range of organizations, including schools, law firms, manufacturers, and non-profits. Royal’s victims are primarily based in the US, but the group has struck organizations in other countries as well. The threat posed by ransomware is only growing, so organizations across all sectors and countries should remain vigilant and implement ransomware mitigation measures.