FBI, CISA and HHS warns of Royal ransomware gang attacks

March 14, 2023 - TuxCare PR Team

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a warning about a new ransomware gang known as Royal ransomware. The ransomware is a type of malicious software that encrypts a victim’s computer files and demands payment in order to unlock them. The Royal ransomware works in a similar manner.

The warning follows an earlier warning from the Department of Health and Human Services, which stated that human-operated ransomware attacks are heavily targeting the healthcare sector, following a three-month increase in the rate of attacks and ransom demands of up to $2 million.

To infect the computer with ransomware, the attackers send spear-phishing emails or exploit vulnerabilities in the victim’s system. After infecting the system, it encrypts the files, making them inaccessible.

The attackers then demand payment in exchange for a decryption key that will allow them to regain access. The most recent Bitcoin demands have ranged from about $1 million to $11 million. However, royal threat actors do not include the ransoms in the initial ransom note. Victims are instead required to interact with the actors via a.onion URL.

Royal has made Bitcoin ransom demands ranging from $1 million to $11 million. However, the warning stated that the group does not include ransom amounts and payment instructions in its initial ransom notes. Instead, the ransom note instructs victims to contact a Royal member directly via a secure URL accessible via the encrypted Tor browser.

According to the FBI and CISA, Royal is beefing up its operations and broadening its scope beyond healthcare providers, with the manufacturing, education, and communications industries all suspected of being additional targets. Since September of last year, cybercriminals have been using a Royal ransomware variant to infiltrate organizations across the United States, many of which are healthcare providers.

Royal tactics are similar to other types of ransomware. Before deploying the ransomware, the actors disable antivirus software and exfiltrate large amounts of data from the network. Data is stolen “by repurposing legitimate cyber pen-testing tools like Cobalt Strike, as well as malware tools and derivatives like Ursnif/Gozi.”

Royal members disable antivirus software after gaining access to an organization’s network. According to the FBI and CISA, the cybercriminals then “exfiltrate large amounts of data” before deploying ransomware and encrypting their victims’ systems. The majority of attacks use phishing emails with malicious PDF documents as the primary access method. Remote Desktop Protocol (RDP) compromise is the second most common attack vector, followed by exploiting public-facing applications and using brokers to gain initial access and source traffic to harvest virtual private network (VPN) credentials.

Once access is gained, Royal members use repurposed, legitimate Windows software to bolster their network presence. Researchers have also observed the group using open-source projects, such as Chisel, a tunneling tool, to aid in intrusion activities.

The sources for this piece include an article in SCMagazine.

Summary