Newish ransomware gang Royal has been spotted targeting the healthcare sector, the US Department of Health and Human Services (HHS) has said.

The crew emerged this year, and follows the standard double extortionware playbook: it steals data from infected networks, encrypts those files, and then demands a fee to recover the data and to also not publicly leak the documents.

In a security bulletin this week HHS told healthcare organizations to be on alert. After Royal gangsters compromise a victim’s network, they typically demand organizations cough up between $250,000 to more than $2 million each, we’re told.

“Additionally, on previous Royal compromises that have impacted the [health-care and public health-care] sector, they have primarily appeared to be focused on organizations in the United States.” HHS noted [PDF]. “In each of these events, the threat actor has claimed to have published 100 percent of the data that was allegedly extracted from the victim.”

Unsurprisingly, the criminals’ motivation is financial gain. 

The gang “appears to be a private group,” as opposed to a ransomware-as-a-service operation with affiliates, HHS added. “Royal is an operation that appears to consist of experienced actors from other groups, as there have been observed elements from previous ransomware operations,” according to the security bulletin. 

While the crooks earlier used BlackCat’s encryptor, at some point they switched to Zeon, which generated a ransom note similar to Conti’s. The note changed to Royal in September.

The ransom note makes it clear that if the demands are ignored, the gang will leak onto the dark web customer and employee records and other data stolen from the network – and that could include people’s sensitive, personal info, such as medical files and passports, as well as proprietary materials.

According to an earlier analysis by Fortinet, the ransomware is a 64-bit Windows executable written in C++. “It is launched via command line, suggesting that it is designed to be run via an operator after access to an environment is provided through another method,” the security firm noted.

Additionally, the gang doesn’t seem to have a preferred initial access vector, but rather chooses its point of entry based on the victim.

Once deployed, the malware gets to work deleting all volume shadow copies to ensure victims can’t easily recover their files. 

Royal uses the OpenSSL library to encrypt files with the AES algorithm; and it renames the files and gives them a “.royal” extension. Meanwhile, the key and IV are encrypted with an RSA public key, which is hardcoded into the executable, we’re told.

In an alert last month, Microsoft said its team recently observed a crew it calls DEV-0569 deploying Royal ransomware.

“DEV-0569 notably relies on malvertising, phishing links that point to a malware downloader posing as software installers or updates embedded in spam emails, fake forum pages, and blog comments,” Redmond noted.

The Royal ransomware alert is HHS’ second such security bulletin in as many weeks. Last week, the agency warned healthcare organizations about the Cuba ransomware gang, following an FBI and CISA advisory about that crime ring. 

The Cuba gang has hit more than 100 organizations worldwide, demanding over $145 million in payments and successfully extorting at least $60 million since August, and it continues to target critical infrastructure including healthcare.

“Due to the nature of the threat actors targets, they pose a threat to the Healthcare and Public Healthcare (HPH) sector,” HHS said [PDF] in its December 2 alert. ®

Leave a Reply