The US Department of Health and Human Services (HHS) warned the healthcare community about human-operated Royal ransomware that has been used to attack the sector since 2022.
First observed in early 2022, Royal ransomware has been used to extort money from victims. Following the initial infection, the ransomware group would demand a ransom in the amount ranging from $250,000 to over $2 million.
According to HHS, Royal seems to be a private threat group with no existing affiliations, motivated primarily by financial gain.
“The group does claim to steal data for double-extortion attacks, where they will also exfiltrate sensitive data,” the report adds.
Although the gang started by deploying BlackCat’s encryptors, they eventually moved to their own – using Zeon, which generated a ransomware note that was identified as being similar to Conti’s. Now, it opts for a new encryptor that generates a ransom note with the gang’s name.
The malware can either fully or partially encrypt a file based on certain parameters, such as its size and the ‘-ep’ parameter. Following the encryption, it will change the extension of the files to “.royal.”
Although a variety of groups have been delivering Royal ransomware, it has also been distributed from DEV-0569, according to Microsoft. The gang has been embedding malicious links in malvertising, phishing emails, fake forums, and blog comments.
‘In addition, Microsoft researchers have identified changes in their delivery method to start using malvertising in Google ads, utilizing an organization’s contact forum that can bypass email protections, and placing malicious installer files on legitimate looking software sites and repositories,” the report adds.
Royal operators have been primarily targeting US healthcare organizations, typically claiming to have published 100% of the illegally obtained data.
More from Cybernews:
Subscribe to our newsletter