The U.S. Department of Health and Human Services (HHS) issued a new warning today for the country’s healthcare organizations regarding ongoing attacks from a relatively new operation, the Royal ransomware gang.
The Health Sector Cybersecurity Coordination Center (HC3) —HHS’ security team— revealed in a new analyst note published Wednesday that the ransomware group has been behind multiple attacks against U.S. healthcare orgs.
“Since its appearance, HC3 is aware of attacks against the Healthcare and Public Healthcare (HPH) sector,” the advisory says.
“Due to the historical nature of ransomware victimizing the healthcare community, Royal should be considered a threat to the HPH sector.”
This ransomware group is focused on targeting U.S. healthcare organizations based on past successful attacks.
Until now, Royal also claimed following each healthcare compromise that they leaked all data allegedly stolen from the victims’ networks online.
Sharp increase in activity since September
The Royal Ransomware gang is a private operation without affiliates and made up of experienced threat actors who worked for other groups.
Since September 2022, Royal operators have been quickly ramping up malicious activities, months after being first spotted in January 2022.
While initially, they used encryptors from other gangs like BlackCat, they quickly switched to using their own encryptors, the first being Zeon which generated Conti-like ransom notes.
Starting in mid-September, the ransomware gang rebranded again to “Royal” and uses a new encryptor that generates ransom notes with the same name.
Unusually for a ransomware gang, the group also uses social engineering to trick corporate victims into installing remote access software following callback phishing attacks where the attackers impersonate software providers and food delivery services.
After infecting their targets and encrypting systems on their enterprise network, Royal will demand ransom payments ranging from $250,000 to $2 million.
Another one of Royal’s uncommon tactics is using hacked Twitter accounts to tweet information on compromised targets to journalists to have the attack covered by news outlets and put additional pressure on their victims.
These tweets will be tweeted at journalists and the owners of companies, containing a link to the leaked data allegedly stolen from victims’ networks before deploying the encryptor.
Healthcare under attack
The federal government has also warned about other ransomware operations known for actively targeting healthcare organizations across the U.S.
For instance, last month, HHS warned of Venus ransomware impacting the country’s healthcare, with at least one entity known to have fallen victim to its attacks.
Previous alerts notified Healthcare and Public Health (HPH) organizations of threat actors deploying Maui and Zeppelin ransomware payloads.
A joint advisory issued by CISA, FBI, and HHS warned in October that the Daixin Team cybercrime group also targets the HPH sector in ongoing ransomware attacks.
Last but not least, Professional Finance Company Inc (PFC), a Colorado-based full-service accounts receivables management firm, shared in a data breach notification in July about a Quantum ransomware attack from late February that led to a data breach affecting 657 healthcare orgs.
However, the attack could’ve had a much more significant impact seeing that PFC helps thousands of U.S. healthcare, government, and utility organizations to ensure that customers pay their invoices on time.