In a recent joint advisory, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) highlighted the increasing threat of ongoing attacks by the Royal ransomware gang targeting many critical US infrastructure sectors, including education, healthcare and communications.
The notification follows an advisory that was issued by the US Department of Health and Human Services (HHS). Last December, its security team revealed that the infamous ransomware group had been connected to multiple attacks against healthcare organisations across the country.
The CISA website’s official alerts and statements page also has a host of advisories for ransomware.
Ransomware risks underlined
In response to the statement from HHS, the CISA and FBI shared some tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) that could assist defenders in detecting and blocking attempts to drop Royal ransomware payloads on enterprise networks. The agencies encouraged all network defenders to examine the document and apply the mitigations advised.
Additionally, the agencies are requesting that all organisations at risk of becoming targets take solid steps to safeguard their systems against the increasing threat of ransomware. To protect their organisations’ networks, admins can begin by prioritising the remediation of all known vulnerabilities that attackers have exploited already.
Training staff to spot and swiftly report phishing attempts efficiently is also vital. Cybersecurity defences can be hardened further by activating and enforcing two-factor and multi-factor authentication, making it more difficult for attackers to penetrate sensitive systems and gain access to data.
Request for reports on Royal ransomware
Despite the FBI stating that paying ransoms is likely to encourage other threat operators to join the attacks, it is urging victims to report any Royal ransomware incidents to either themselves or CISA, regardless of whether they acquiesced and paid the ransom or refused.
Any further information will help the agencies collect critical data required to keep track of the threat operator’s activity, assist in stopping further attacks, and hold the gang accountable for its actions.
The Royal ransomware gang is a private operation that is made up of highly experienced malicious actors who were previously known for working with the infamous Conti cybercrime gang. Royal’s malicious campaigns have only seen a single spike in activity since back in September but were first detected last year in January.
To start with, the gang initially used encryptors employed by other operations such as BlackCat, but have since moved on to devise their own unique solutions.
The first of these was called Zeon. It generated similar ransom notes to those deployed by the Conti gang, but by mid-September, the gang had switched to a brand-new encryptor rebranded as “Royal”.
Royal threat operators encrypt their victim’s systems and then demand huge ransom payments, which range from $250,000 up to tens of millions.
The gang also distinguishes itself from the other operations because of its social engineering tactics, which are deployed to deceive corporate targets into downloading remote access software during call-back phishing attacks. These ploys involve Royal ransomware operators impersonating a range of vendors that the company deals with, including food delivery companies and software providers.
Protect your organisation from ransomware attacks
Ransomware is a dangerous and disruptive method of terrorising organisations while trying to exploit them. The best way to counter this method of attacks is to encrypt data and make backups of it. Encrypting data means that only the designated recipients can decrypt and access the data so that threat operators can’t leak it and cause your organisation a huge data breach, while backups of data will mean that even if threat operators take hold of this (pretty useless to anyone but you) encrypted data you will still have recent versions to access and get back on track with.
Galaxkey have created a state-of-the-art and easy to use platform that allows your organisation to encrypt data, in transit and at rest, with just a couple clicks. Get a demonstration today to see how we can help you.
