Royal Ransomware Hitting Healthcare Targets and Dumping DataTongue-in-Cheek Ransom Note Claims 'Modest Royalty' for 'Pentesting Services'
The healthcare sector is under fire from a new strain of ransomware called Royal, which has been tied to attacks that demand ransoms from $250,000 to over $2 million.
Royal-wielding attackers appear to be especially interested in hitting the U.S. healthcare sector, with unwelcome results for victims. "In each of these events, the threat actor has claimed to have published 100% of the data that was allegedly extracted from the victim," the Department of Health and Human Services warns in a security alert.
Royal is the latest in a long line of "human-operated ransomware," meaning the ransomware gets used at the end of a longer attack chain, beginning with attackers gaining remote access to a victim's network, according to the alert from the HHS Health Sector Cybersecurity Coordination Center.
"Once a network has been compromised, they will perform activities commonly seen from other operations, including deploying Cobalt Strike for persistence, harvesting credentials, and moving laterally through a system until they ultimately encrypt the files," HC3 says (see: Block This Now: Cobalt Strike and Other Red-Team Tools).
Ransom notes dropped by Royal claim that attackers have already exfiltrated data and threaten to employ the double extortion tactic of threatening to release data captured from the victim in addition to holding the data hostage for an extortion payment, researchers at cybersecurity firm Fortinet report. "In what appears to be a bit of tongue in cheek," Fortinet researchers add, the ransom note also suggests the attacker provided a "pentesting service" that features a "security review."
Multiple groups appear to be wielding Royal ransomware, which was first spotted in the wild in September and designed to target 64-bit Windows systems, security experts say. Files crypto-locked by the malware have
.royal appended to their filename.
In September, Bleeping Computer reported that Royal's developers had begun using other groups' encryptors, including one from BlackCat, before switching to its own encryptor, called Zeon. HC3 says the group later renamed its encryptor Royal.
Microsoft in November reported that among Royal's users is a group it has given the code name DEV-0569. It says the group "relies on malvertising, phishing links that point to a malware downloader posing as software installers or updates embedded in spam emails, fake forum pages, and blog comments" to spread malicious code, including software known as BatLoader. "DEV" in Microsoft nomenclature refers to a "developing" group about which little is known.
The DEV-0569 group has been using BatLoader as a Windows installer - aka MSI - tool to run "custom actions to launch malicious PowerShell activity or run batch scripts to aid in disabling security solutions and lead to the delivery of various encrypted malware payloads that is decrypted and launched with PowerShell commands," the Microsoft Security Threat Intelligence team warns in a blog post. Royal is among this malware.
Royal ransomware can be set to only partially encrypt files, cybersecurity rating firm SecurityScorecard reports. A number of ransomware strains now employ this approach, known as intermittent or partial encryption, which allows them to more rapidly leave infected systems unrecoverable, unless victims restore from backups or pay for the decryptor (see: Strike Force: Why Ransomware Groups Feel the Need for Speed).
Multiple Attackers Target Healthcare
The Royal warning follows multiple other ransomware alerts from HHS in recent months (see: Ransomware-Wielding Criminals Increasingly Hit Healthcare).
In November, HHS issued a warning that multiple groups were using Venus ransomware to hit healthcare targets, and that initial ransom demands often seemed to be set at around 1 bitcoin, which is currently worth about $17,000.
In October, HHS, the FBI and the Cybersecurity and Infrastructure Security Agency issued a joint security alert about healthcare-targeting Daixin Team ransomware attacks, which appear to have begun in June.
Among the countermeasures federal agencies advise is locking down all remote services. Ransomware operators can target publicly exposed remote desktop services, including those running on nonstandard TCP ports. "It is vital to put these services behind a firewall," HC3 warns (see: Ransomware Attack Vectors: RDP and Phishing Still Dominate).
Using multifactor authentication wherever possible is also a must (see: Security Alert: Daixin Ransomware Targets Healthcare).