Healthcare System Ransomware

The U.S. Department of Health and Human Services (HHS) has cautioned of ongoing Royal ransomware attacks targeting healthcare entities in the country.

"While most of the known ransomware operators have performed Ransomware-as-a-Service, Royal appears to be a private group without any affiliates while maintaining financial motivation as their goal," the agency's Health Sector Cybersecurity Coordination Center (HC3) said [PDF].

"The group does claim to steal data for double-extortion attacks, where they will also exfiltrate sensitive data."


Royal ransomware, per Fortinet FortiGuard Labs, is said to be active since at least the start of 2022. The malware is a 64-bit Windows executable written in C++ and is launched via the command line, indicating that it involves a human operator to trigger the infection after obtaining access to a targeted environment.

Besides deleting volume shadow copies on the system, Royal utilizes the OpenSSL cryptographic library to encrypt files to the AES standard and appends them with a ".royal" extension.

The ransomware "expands the concept of partial encryption, which means it has the ability to encrypt a predetermined portion of the file content and base its partial encryption on a flexible percentage encryption, which makes detection more challenging for anti-ransomware solutions," Cybereason disclosed in a new analysis.

"Royal ransomware employs multiple threads in order to accelerate the encryption process," the cybersecurity company further added.

Last month, Microsoft disclosed that a group it's tracking under the name DEV-0569 has been observed deploying the ransomware family through a variety of methods.

This includes malicious links delivered to victims by means of malicious ads, fake forum pages, blog comments, or through phishing emails that lead to rogue installer files for legitimate apps like Microsoft Teams or Zoom.

The files are known to harbor a malware downloader dubbed BATLOADER, which is then used to deliver a wide variety of payloads such as Gozi, Vidar, and BumbleBee, in addition to abusing genuine remote management tools like Syncro to deploy Cobalt Strike for subsequent ransomware deployment.

The ransomware gang, despite its emergence only this year, is believed to comprise experienced actors from other operations, indicative of the ever-evolving nature of the threat landscape.

"Originally, the ransomware operation used BlackCat's encryptor, but eventually started using Zeon, which generated a ransomware note that was identified as being similar to Conti's," the HHS said. "This note was later changed to Royal in September 2022."

The agency further noted that Royal ransomware attacks on healthcare have primarily focused on organizations in the U.S., with payment demands ranging from $250,000 to $2 million.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.