Chris Swagler | March 8th, 2023

CISA and the FBI have released a joint advisory about the growing threat posed by Royal ransomware attacks targeting numerous critical infrastructure sectors in the United States, including healthcare, communications, and education. The advisory comes after the Department of Health and Human Services (HHS) issued their own advisory which was disclosed by the security team in December 2022 that the ransomware operation was connected to various operations against United State healthcare companies. The FBI and CISA published indicators of compromise and a list connected tactics, techniques, and procedures (TTPs), that can assist defenders in detecting and blocking efforts to deploy Royal ransomware payloads on their networks. According to the United States’ cybersecurity agency, CISA are encouraging network defenders to evaluate and implement provided mitigations.

The federal agencies urge all companies that may be targeted to take tangible steps to defend themselves against the growing ransomware threat. Enterprise administrators need to begin protecting their companies’ networks by prioritizing the remediation of any known vulnerabilities that threat operators have already exploited. Additionally, it’s critical to train employees to detect and report phishing efforts. Cybersecurity defenses can be strengthened further by implementing and enforcing multi-factor authentication (MFA), which makes it considerably more difficult for threat operators to get access to sensitive systems and data. Samples supplied to the ID-Ransomware platform for examination demonstrate that the company-targeting group has been increasingly active since late January, demonstrating the ransomware operation’s massive impact on its victims.

Despite the FBI’s assertion that paying ransoms will likely inspire additional cybercriminals to join the attacks, victims are encouraged to report Royal ransomware incidents to their local FBI field office or CISA whether or not they have paid the ransom. Any more information will assist in collecting critical data required to follow the ransomware group’s activity, prevent future attacks, and hold the threat operators accountable for their actions. Royal ransomware is a private operation composed of highly skilled threat actors that have previously worked with the famed Conti cybercrime group. Despite being discovered in January 2022, their malicious activities have only increased in frequency since September. Although they first used encryptors from other groups, including BlackCat, they have subsequently switched to their own. Zeon was the first, which utilized ransom notes identical to Conti’s; however, they moved to a new encryptor in mid-September after rebranding as “Royal.”

Recently, the malware has been updated to encrypt Linux systems targeting VMware ESXi virtual machines. Royal operators encrypt companies’ systems and demand large ransom payments ranging from $250,000 to millions per attack. Additionally, the ransomware operation stands out from the norm because of using social engineering to trick company victims into installing remote access software as part of callback phishing campaigns in which they pose as software vendors and food delivery services. The group adopts a unique method of using breached Twitter accounts to tweet details of compromised targets to journalists in the hopes of attracting news coverage and increasing pressure on their victims. The tweets include a link to leaked data that the group reportedly collected from victims’ networks before encrypting it.

With the increasing threats from ransomware groups, including the Royal ransomware group, it’s important for companies to be very vigilant of the current threat landscape and regularly update their data network security framework. At SpearTip, our rapid response and investigative teams are prepared 24/7/365 at our Security Operations Center to immediately interrupt any intrusion and quickly restore companies’ normal business operations. In the event of a cyberattack, our team will focus on restoring companies’ business operations quickly, comprehensively, and with clear communication. The ShadowSpear Platform, our unparalleled integrable EDR tool, was built for incident response and immediately resolves vulnerabilities. SpearTip’s comprehensive suite of advisory services will optimize the cyber maturity of your organization,  reduce the risk of a  cyber incident from occurring in the first place, and ensure organizations don’t suffer the damaging impacts of downtime or data compromise.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.