A new ransomware campaign is attacking healthcare organizations in the United States in a malicious operation dubbed Royal, the US Department of Health and Human Services (HHS) said in a security advisory.
Royal, first noticed in September, doesn’t function on the Ransomware-as-a-Service (RaaS) model like other operations. Instead, it seems to run as a private group without affiliates.
However, researchers have identified shared “elements from previous ransomware operations,” leading them to believe that seasoned threat actors from other cybercrime groups could be part of the operation.
The financially motivated threat group deals in double-extortion attacks, requesting hefty ransoms to restore stolen data and not leak sensitive documents to the public. Ransom demands range anywhere from $250,000 to over $2 million.
“Once a network has been compromised, they will perform activities commonly seen from other operations, including deploying Cobalt Strike for persistence, harvesting credentials, and moving laterally through a system until they ultimately encrypt the files,” HHS said in the announcement. “Originally, the ransomware operation used BlackCat’s encryptor, but eventually started using Zeon, which generated a ransomware note that was identified as being similar to Conti’s.”
The 64-bit, C++-written executable spread by Royal ransomware operators deletes all Volume Shadow Copies, rendering the victim unable to recover compromised files using point-in-time copies. It enciphers local network and local drive shares using the AES algorithm, encrypts the initial vector (IV) and the key in the RSA public key, then hardcodes it into the executable. After encrypting files, the malicious executable appends the “.royal” extension to them.
Specialized software solutions such as Bitdefender Ultimate Security can keep you safe from ransomware attacks and other e-threats with features like: