“HHS Warns Royal Ransomware Threat Targeting Healthcare Providers”

The Department of Health and Human Services (HHS) Cybersecurity Coordination Center has been made aware of targeted cyberattacks against the healthcare sector since the emergence of the human-operated ransomware threat group known as Royal in September. Over the last three months, the number of Royal-based attacks has steadily increased, with ransom demands ranging from $250,000 to more than $2 million. Analyses of successful healthcare compromises confirm that the group appears to be focused on organizations in the US. Furthermore, Royal claims to have published 100 percent of the data allegedly extracted from the victim in each of these exploits. Like most ransomware groups, Royal has been observed exfiltrating sensitive data, deploying Cobalt Strike for persistence, harvesting credentials, and moving laterally through a system until they eventually encrypt the files. Royal should be considered a threat to the health and public health sectors, according to HHS, because of the history of ransomware victimizing the healthcare community. The group appears to be a private organization with no affiliate partners, and it does not provide Ransomware-as-a-Service (RaaS). According to HHS multiple actors are spreading Royal ransomware, which is also distributed via DEV-0569. According to a Microsoft analysis, DEV-0569 heavily relies on malvertising, phishing links that point to a malware downloader posing as software installers or updates embedded in spam emails, fake forum pages, and blog comments. The threat was observed using contact forms on the targeted entity's website to deliver phishing links in one attack method. This article continues to discuss HC3's warning about the Royal ransomware targeting the healthcare sector.

SC Media reports  “HHS Warns Royal Ransomware Threat Targeting Healthcare Providers”