U.S. healthcare organizations could be in the crosshairs of a new cyberthreat collective dubbed Royal. The U.S. Department of Health and Human Services published an analyst note this week detailing the threat and the hacker group’s tactics.
The warning from HHS’s Health Sector Cybersecurity Coordination Center identified the relatively new group as perps behind several attacks first appearing in September 2022 against Healthcare and Public Healthcare targets. Ransom demands, per HC3, have reached into the millions of dollars, with the group constituting a real and present danger to the HPH sector going forward.
According to the report, the Royal ransomware group — an apparently money-motivated outfit with no affiliates — deploys a 64-bit executable written in C++ targeting Windows systems. It works to delete all volume shadow copies, a Microsoft Windows feature that can create backup copies of files or folders in real time.
SEE: McAfee 2023 Threat Predictions (TechRepublic)
“Once infected, the requested demand for payment has been seen to range anywhere from $250,000 to over $2 million,” said the Center, asserting that Royal comprises experienced actors from other groups that began by using ransomware-as-a-service tactics.
“The group does claim to steal data for double-extortion attacks, where they will also exfiltrate sensitive data,” said the report, which also noted that the group will compromise a network then perform such well-known gambits as:
- Cobalt Strike for infiltration and persistence
- Credentials harvesting
- Lateral movement
Royal links to threat actor DEV-0569
A report last month from Microsoft Security noted that the Royal ransomware is also being distributed by the threat group DEV-0569, which, according to Microsoft, is actively evolving to incorporate new “discovery techniques, defense evasion and various post-compromise payloads, alongside increasing ransomware facilitation.”
The report said DEV-0569 “relies on malvertising, phishing links that point to a malware downloader posing as software installers or updates embedded in spam emails, fake forum pages and blog comments.”
Microsoft also reported that DEV-0569 is using malvertising in Google advertisements, utilizing an organization’s contact forum that can bypass email protections, and placing malicious installer files on legitimate looking software sites and repositories.
Healthcare sector remains vulnerable
Justin Cappos, a cybersecurity expert and professor of computer science at the NYU Tandon School of Engineering, said the health care and hospital sectors are particularly vulnerable to ransomware attacks because hospitals tend to have money, a large threat surface, outdated systems, and due to life-and-death consequences, are highly motivated to pay. These factors are echoed in a 2021 Brookings Institution report lamenting the state of cybersecurity affairs in healthcare enterprises.
“In general, hospitals and related facilities are victims because they often pay ransom, are often moderately insecure and are supported by legacy systems that are not easily patched,” said Cappos. “This is because for a lot of medical systems, there is concern that upgrading systems and device software could ‘break’ the system itself, resulting in medical emergencies.”
Another issue for healthcare sector cybersecurity: A talent drought, as grads with security training will favor higher paying tech companies.
“Finding and recruiting top people for security for hospitals is a challenge,” said Cappos. “You don’t often hear computer science and cybersecurity graduates saying: ‘I’m so excited I got a job at a hospital.’”
The Royal group’s own tactics are evolving, according to HC3, which reported that Royal started with an encryptor from ransomware-as-a-service purveyor ALPHV, aka BlackCat, then began using their own to generate a ransomware note in a README.TXT with a link to the victim’s private negotiation page. Since the middle of September, the group has been using “Royal” in its encryptor-generated ransom notes.
SEE: 2022 State of the Threat: Ransomware is still hitting companies hard (TechRepublic)
“Royal is a newer ransomware, and less is known about the malware and operators than others” said HC3. “Additionally, on previous Royal compromises that have impacted the HPH sector, they have primarily appeared to be focused on organizations in the United States. In each of these events, the threat actor has claimed to have published 100% of the data that was allegedly extracted from the victim.”
More broadly, HC3 said it continues to see the following attack vectors frequently associated with ransomware:
- Phishing
- Remote Desktop Protocol compromises and credential abuse
- Compromises of exploited vulnerabilities, such as VPN servers
- Compromises in other known vulnerabilities
If you are interested in learning best practices for securing your organization’s physical IT, download: IT Physical Security Policy (TechRepublic Premium).