The US government is sounding the alarm about the Royal ransomware operation, which it says has targeted numerous critical infrastructure sectors across the United States.
In a joint notice released Thursday, the FBI and US cybersecurity agency CISA said Royal ransomware has claimed multiple victims in the US and internationally, including manufacturing, communications, education and healthcare organizations. .
The warning comes after the US Department of Health and Human Services warned in December that Royal ransomware was “aggressively” targeting the US healthcare sector. The web leak site Royal’s shadow currently lists Northwest Michigan Health Services and Midwest Orthopedic Consultants among its victims.
The Royal ransomware gang was first observed in early 2022. At the time, the operation relied on third-party ransomware, such as Zeon, but has since deployed its own custom ransomware in attacks since September.
The US government warns that after gaining access to victims’ networks, typically via phishing links containing a malware downloader, the real agents “disable antivirus software and extract large amounts of data” before implementing ransomware and encryption systems.
Security experts believe Royal is comprised of experienced ransomware actors from previous operations, noting similarities between Royal and Conti, a prolific Russia-linked hacking group that disbanded in June 2022.
In November 2022, Royal ransomware was reported to be the most prolific ransomware operation, surpassing Lockbit. Recent data shows that Royal was responsible for at least 19 ransomware attacks in February, behind 51 attacks attributed to LockBit and 22 attacks linked to Vice Society.
Although most of Royal’s victims are based in the United States, one of his most high-profile victims was the Silverstone Circuit, one of the largest motor racing circuits in the United Kingdom. other victims reclaimed by the gang include ICS, an organization that provides cybersecurity services to the US Department of Defense, tThe Dallas School District and others.
According to the US government notice, the ransom demands made by Royal range from $1 million to $11 million, but it is still unclear how much the operation has earned from its victims. The notice notes that Royal actors also engage in double extortion tactics, whereby they threaten to publicly disclose encrypted data if the victim does not pay the ransom.
“In the observed incidents, the actual actors do not include ransom amounts and payment instructions as part of the initial ransom note,” CISA and the FBI warned. “Instead, the note, which appears after encryption, requires victims to directly interact with the threat actor via an .onion URL,” referring to Royal’s dark web sites.
CISA and the FBI have released known indicators of Royal ransomware compromise and operations tactics, techniques and procedures, which say have been identified through FBI threat response activities in January 2023. The agencies have advised US organizations to apply mitigations and report any ransomware incidents. The notice states that CISA and the FBI dor not encourage the payment of ransom demands.
