The United States Department of Health and Human Services (HHS) recently issued a warning for the nation’s healthcare organisations regarding continuing attacks from a relatively new ransomware operation. The gang known as Royal Ransomware are yet another malicious actor deploying malicious crypto malware in attempts to cause chaos and gain profits.

The HHS’s security team, Health Sector Cybersecurity Coordination Centre, or HC3 for short, recently revealed in a published note that the ransomware group is responsible for several attacks against healthcare organisations in the US.

The advisory read:

“Since its appearance, HC3 is aware of attacks against the Healthcare and Public Healthcare (HPH) sector. Due to the historical nature of ransomware victimising the healthcare community, Royal should be considered a threat to the HPH sector.”

The relatively new ransomware group mainly targets U.S. healthcare organisations based on and emboldened by successful attacks it has executed in the past.

Up until now, Royal Ransomware has also claimed after each healthcare compromise that it leaked online all patient health data that was allegedly stolen from its victims’ networks.

Increased malicious activity

The Royal Ransomware outfit is a private group with no known affiliates and is comprised of experienced threat operators who have worked for other successful operations.

Since September 2022, Royal ransomware operators have been ramping up their malicious activities, some months after being first detected at work back in January of the same year.

Initially, the gang used encryptors from other ransomware operations, such as BlackCat, but they swiftly switched to using encryptions of their own. The first of these was Zeon, which generated ransom notes comparable to those used by the nefarious Conti ransomware gang.

From mid-September, the gang rebranded themselves as “Royal” and started using a brand-new encryptor that can generate ransom notes of the same name.

Techniques and tactics

Atypical for a ransomware gang, the operation also employs social engineering tactics. They trick corporate targets into downloading and executing remote access software after call-back phishing attacks. In these phishing attacks, malicious operators impersonate food delivery services and software providers.

After it has infected a target and encrypted its enterprise network systems, the Royal Ransomware gang will demand ransoms ranging between $250,000 and up to $2 million.

One of Royal’s other uncommon tactics is using hacked Twitter accounts. They tweet information about the targets they have compromised to journalists on social media to ensure the attack is covered by major news outlets. The aim of this manoeuvre is to put extra pressure on victims, creating leverage to force a ransom payment.

These tweets are sent to both journalists and company owners. They contain a dedicated link to the leaked information allegedly stolen from victim networks during exfiltration before an encryptor is deployed, locking firms from their data and operating systems.

The federal government has issued warnings about other known ransomware operations that actively target healthcare organisations in the US.

For example, last month, it warned of the Venus ransomware threat impacting the nation’s healthcare. At least one organisation is known to have become a victim of its attacks.