The US healthcare sector continues to be aggressively targeted by ransomware operators. Royal and BlackCat are two of the more recent – and highly sophisticated – ransomware threats. These two new flavors of ransomware pose serious potential impacts on the healthcare sector, but there are appropriate mitigation and defense strategies that organizations can take to protect against them.
What is Royal Ransomware?
Royal Ransomware first reared its ugly head in early 2022 and, since then, has continued to make headlines with its nefarious acts. The Royal cybercriminal group employs typically devious techniques to breach networks, encrypting them with malware and demanding ransom payments. According to the Cybersecurity & Infrastructure Security Agency (CISA), the group has also engaged in data exfiltration to increase the chances of fulfilling their ransom request. To date, Royal’s operators have focused their attacks on US-based entities, demanding ransoms ranging from $250,000 to over $2 million from its victims.
By November 2022, Royal had shifted its malicious activities into high gear, claiming responsibility for a ransomware attack on the UK’s popular racing circuit, Silverstone, that disrupted dozens of Formula One races and motorcycle events. The following month, Royal launched an attack on property appraisal agency Travis Central Appraisal, paralyzing its servers, website, and email for over two weeks.
Royal ransomware is written in C++, targets Windows operating systems, and is a 64-bit executable. The malware is distributed via malicious attachments, malvertising, and fake forums. Royal operators may also use contact forms located on an organization’s website to distribute phishing links. Callback phishing is another element of their strategy – communications to victims often include fake call center numbers manned by members of their team who then use social engineering tactics to lure targets into installing remote access software. To help evade early detection, Royal ransomware operators utilize a partial encryption approach that allows them to specify a variable percentage of data to encrypt in larger files. This makes the overall encryption mechanism much faster.
Royal actors append ".royal or ".royal_w" extensions to filenames and leave a ransom note entitled "README.TXT.” They’re also not shy and engage in double extortion tactics – threatening to publicly release data if victims fail to pay the ransom.
What Risk Does Royal Ransomware Pose to Healthcare Organizations?
The healthcare industry has long been a popular target for cybercriminals. In the first half of 2022 alone, 324 attacks against healthcare organizations were reported. It is reasonable to expect that Royal will soon set its sights firmly set on this sector.
Recent commentary and advisories issued by authorities support this argument. In December 2022, the Department of Health and Human Services Cybersecurity Coordination Center (HC3) warned that Royal-based ransomware attacks were on the rise and that Royal “should be considered a threat to the HPH sector.” And in early March, the FBI and US cybersecurity agency CISA issued a joint advisory confirming that “Royal actors have targeted numerous critical infrastructure sectors including, but not limited to, Manufacturing, Communications, Healthcare and Public Healthcare (HPH), and Education.”
Moreover, evidence of some familiar tactics and techniques in Royal ransomware attacks on healthcare organizations have led researchers to believe its operators may be former members of another infamous cybercriminal gang, the Conti Team One, renowned for victimizing this sector:
- Royal’s ransom notes bear a striking resemblance to those left by Conti.
- Royal makes use of its own Zeon encryptor, the type used to impersonate healthcare patient data software entities in October 2022. The Zeon Group is one of three gangs that formed after the dissolution of Conti, and, like Royal, it has a history of luring its victims by setting up malicious call centers.
What is BlackCat Ransomware?
BlackCat Ransomware – also known as AlphaVM, AlphaV, or ALPHV – was first detected in November 2021. It’s believed to be the first breed of Ransomware-as-a-Service (RaaS) to be written in the cross-platform language Rust, making it easily customizable for diverse operating systems and enterprise environments.
Its operators have used the malware to execute a string of successful, high-profile attacks, many of which involved triple extortion tactics, where they deployed ransomware, threatened to expose exfiltrated data, and launched DDoS attacks against their victims.
In an alert published in April 2022, the FBI revealed that BlackCat had compromised at least 60 victims in four months and that several BlackCat operators, developers, and affiliates have ties to now-defunct RaaS gangs, DarkSide, and BlackMatter.
According to a January 2023 advisory from the HC3, BlackCat ransomware is a successor to REvil, which is linked to Russian hackers. The group typically demands ransoms of up to $1.5 million, with affiliates keeping the lion’s share of ransom fees.
Perhaps most concerning is that BlackCat is believed to be the first cyber gang to set up a data leaks website on the public internet, as opposed to on the dark web. Their rationale is to prove to their victims that their data has been compromised, making them more likely to concede to the ransom demands.
Why is BlackCat a Threat to Healthcare?
BlackCat poses a clear and present danger to the healthcare sector, as it’s been observed in multiple recent attacks targeting healthcare providers, such as hospitals and clinics. In February 2023, a Pennsylvania-based health network disclosed that it had suffered an attack from BlackCat and that the perpetrators had released clinical images of cancer patients receiving radiation oncology treatment and had published several documents containing patient information online.
An electronic health records vendor and a pharmacy management services firm are also purportedly recent healthcare sector victims listed on BlackCat's data leaks site.
While the BlackCat group claims, “We do not attack state medical institutions, ambulances, hospitals. This rule does not apply to pharmaceutical companies, private clinics”, history has shown that it’s not uncommon for cybercriminals to abandon such pledges.
Healthcare Supply Chain Threats
While healthcare facilities need to be aware of direct threats to their operations posed by sophisticated ransomware campaigns, they should also be mindful of the risk of attacks targeting less-secure portions of their supply chains. For example, many healthcare organizations engage third party providers to handle their electronic medical records. It’s not uncommon for threat actors to target these third parties and exfiltrate sensitive patient data stored in their systems.
In the first half of 2022, 15% of data breaches were attributable to medical supply chain associates, including record providers, consultants, billing companies, cloud services, web hosting services, and medical device manufacturers.
Strategies for Building Healthcare Cyber-resilience
Healthcare organizations can harden their environments and better defend against potentially devastating ransomware attacks by:
- Developing a comprehensive risk management strategy and incident response plan so they know exactly which systems and data need to be protected, and what to do in the event of a breach.
- Regularly reviewing domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
- Installing a VPN and implementing network segmentation.
- Ensuring only authorized administrators can install the software.
- Installing updates and deploying patches to operating systems, software, and firmware as they become available.
- Using multifactor authentication and ensuring users cannot reuse passwords for different accounts.
- Scrutinizing administrative privileges and configuring access controls with the least privileges in mind.
- Installing and regularly updating anti-malware software on all systems.
- Disabling hyperlinks in incoming emails.
- Keeping multiple copies of sensitive data in a physically separate, segmented, secure location.
- Ensuring that every player in their supply chain ecosystem can demonstrate a corresponding, high level of cyber-hygiene within their own operations.
Ransomware variants continue to grow in scope and sophistication. Its creators and affiliates work quietly behind the scenes 24/7, integrating new techniques and strategies into their design paradigms. The Royal and BlackCat ransomware strains are most certainly a product of this nefarious underworld.
For healthcare providers, the stakes have never been higher.
In the face of ever-evolving ransomware threats, healthcare organizations’ business strategies must be security-conscious at every layer. This means understanding how malware can be disguised and where the weak points in their systems might be. In addition, each new program or initiative must have the appropriate security measures embedded from the start so that the organization remains on the front foot in the face of new iterations of ransomware.
About the Tripwire Guest Author:
Elizabeth Davies is a seasoned technology writer and content development professional with a passion for cybersecurity topics. Elizabeth holds a master's degree in English Literature (Cum Laude) and over two decades' experience in corporate and freelance roles.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.