Royal ransomware has healthcare institutions as main target 

Security Alerts
Sheila Zabeu -

December 14, 2022

New ransomware is threatening the healthcare industry. Called Royal, the virtual plague was first observed in September 2022 and has already demanded ransoms in the millions of dollars, according to an alert from the US Department of Health and Human Services (HHS). For now, the attacks have been concentrated on US healthcare organizations.

The Royal ransomware operation appears to bring together experienced actors from other groups. Although most known ransomware operators use the Ransomware-as-a-Service scheme, Royal has the characteristics of an unaffiliated private group with a financial motivation. The group claims to steal data for double extortion attacks, meaning that in addition to collecting ransom, it also threatens to leak confidential data.

After breaking into victims’ networks, they perform activities commonly seen in other operations, such as deploying tools to remotely access and manage infected systems, collecting credentials, lateral movement, and file encryption.

The redemption notes appear in a README.TXT file, which also contains a link to the trading page.

Multiple actors have spread royal ransomware, but a Microsoft report highlights recent activity from a specific group that the company tracks as security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/" target="_blank" rel="noreferrer noopener">DEV-0569. DEV-0569 attacks show a pattern of continuous innovation, with regular incorporation of new discovery techniques, defense evasion, and various post-invasion workloads. DEV-0569 primarily uses “malvertising” and phishing links that point to a malware downloader posing as a legitimate software installer or updates in spam emails, fake forum pages, and blog comments. In recent months, tweaks to these methods have also been observed, including using contact forms, hosting files on fake download sites, and expanding malvertising using Google Ads.

Other recent attacks threatening healthcare companies have come from the Venus, Maui, and Daixi Team.

Beyond the financial issue, the actions of ransomware actors on healthcare institutions have compromised procedures and treatments. A recent example of this was in France, where a hospital was forced to transfer patients after a hack by cyber criminals.

The André-Mignot teaching hospital in the suburbs of Paris had to switch off phones and computers because of a ransomware attack. It had to partially cancel operations and transfer six patients from the neonatal and intensive care units to other healthcare organizations. According to the institution, the attackers demanded ransom.

The recommendation of the HHS and other entities such as the FBI and CISA (United States Cybersecurity and Infrastructure Agency) is not to pay ransoms, partly because the such payment does not guarantee the recovery of stolen files, nor that they will not be leaked later. In addition, paying ransoms can encourage cybercriminals to act and fund illicit activities. For organizations and individuals who fall victim to ransomware, the FBI maintains a page through which it is possible to submit samples of ransomware activity.

State of cybersecurity health

When we think about the state of health of global cybersecurity, we will venture to say that it is critical and needs special care. And when we narrow that question to medical companies, it seems the picture is even worse.

A recent Sophos, study conducted in early 2022 revealed an increasing rate of ransomware attacks on the healthcare industry, presenting an increasingly complex threat environment. These invasions have almost doubled – 66% of healthcare organizations surveyed were hit by ransomware in 2021, up from 34% in 2020. The scenario also appears more challenging to deal with, as an increase in perceived volume (69%) and complexity (67%) and the second-highest increase in impacts (59%) of cyberattacks were recorded.

In addition, healthcare is more likely to pay ransoms to recover encrypted data, ranking first in the study with 61% responses, compared to the global average of 46%. This share is almost double the 34% who paid a ransom in 2020.

Healthcare companies that paid ransomware recovered only 65% of data in 2021, down from the 69% mark reported in 2020. In addition, only 2% of those that paid ransomware in 2021 recovered all data, down from 8% in 2020.

Long periods to recover from ransomware attacks have also hit the healthcare sector – 44% of organizations that suffered an attack in 2021 took up to a week to recover, while 25% took up to a month.