The Royal ransomware operation is getting a lot of attention. The U.S. government says that it targeted a number of important infrastructure sectors across the country.
In a joint statement on Thursday, the FBI and the US cybersecurity agency CISA said that the Royal ransomware has affected businesses in the industrial, communications, education, and healthcare sectors in the US and abroad.
The announcement comes after the US Department of Health and Human Services warned in December that the Royal ransomware was “aggressively” going after the US health care industry.On Royal’s dark web leak site, Northwest Michigan Health Services and Midwest Orthopaedic Consultants are named as victims.
Early in 2022, the Royal ransomware gang was first noted. The operation used Zeon and other third-party ransomware at the time, but it has since started using its own unique malware since attacks began in September.
Bad actors “disable antivirus software and exfiltrate massive amounts of data” after obtaining access to victims’ networks, usually through phishing links including a malware downloader, the U.S. government advises. This is done before deploying the ransomware and encrypting systems.
Security experts think that Royal is made up of people who have worked with ransomware before. They have compared Royal to Conti, a well-known hacking group with ties to Russia that broke up in June 2022.
Reports say that in November 2022, Royal ransomware beat out Lockbit to become the most common ransomware operation.Recent data shows that Royal was behind at least 19 ransomware outbreaks in February. 51 attacks were attributed to LockBit and 22 attacks were attributed to Vice Society.
The Silverstone Circuit, one of the biggest motor racing facilities in the United Kingdom, was one of Royal’s more notable victims, despite the fact that the majority of its victims were based in the United States. The Dallas School District and ICS, a company that offers cybersecurity services to the US Department of Defense, are among the other victims listed by the gang.
The U.S. government’s alert claims that Royal’s ransom demands range from $1 million to $11 million, but it is still unclear how much money the operation has really collected from its victims. The warning says that bad actors also employ double extortion strategies when they threaten to make the encrypted material publicly available if the victim refuses to pay the ransom.
“In observed occurrences, the perpetrators do not include ransom amounts and payment instructions as part of the initial ransom communication,” CISA and the FBI said. Instead, the note, which appears after encryption, demands that victims communicate with the threat actor directly through a.onion addresses, pointing to Royal’s dark web domains.
CISA and the FBI say that the FBI’s threat response activities helped find known Royal ransomware signs of compromise and the operations’ strategies, techniques, and processes as late as January 2023. The agencies have told businesses in the U.S. to take steps to protect themselves and to report any ransomware attacks. The advice says that the FBI and CISA oppose fulfilling ransom demands.