The U.S. government is sounding the alarm over the Royal ransomware campaign that it claims has targeted a number of crucial infrastructure sectors throughout in the United States.
In a joint announcement on Thursday on Thursday, CISA and the FBI released a joint advisory on Thursday. FBI as well as the U.S. cybersecurity agency CISA declared that Royal ransomware has impacted a number of victims across both the U.S. and internationally, such as communications, manufacturing healthcare, education, and manufacturing.
Royal Ransomware is Targeting Critical Infrastructure
The alert comes following the U.S. Department of Health and Human Services issued a warning on December 1 that Royal ransomware is “aggressively” attacking healthcare providers in the U.S. healthcare sector. Royal’s leak site on the dark web currently has Northwest Michigan Health Services and Midwest Orthopaedic Consultants as victims.
The Royal ransomware gang was first identified at the beginning of 2022. In the beginning, it was relying on third-party ransomware like Zeon however, it has used its own customized ransomware to attack since September.
It is the U.S. government warns that once they have gained access to the victim networks through phishing emails that contain malware downloaders the royal actor will “disable security software for antivirus and transfer massive amounts of data” before deploying ransomware and encryption system.
Security experts believe Royal is comprised of experienced ransomware actors who have been involved in previous attacks, pointing out the resemblances with Royal and Conti the most prolific hacking organization linked to Russia that broke up in June 2022.
In November 2022 Royal ransomware was said to be the most popular ransomware attack, surpassing Lockbit. Recent research shows that Royal was the cause of at most 19 ransomware attacks in February, which was behind 51 attacks that were attributed to LockBit and 22 attacks that are linked to Vice Society.
Although the majority of the victims of Royal’s are in the United States, one of the more prominent victims was Silverstone Circuit, which is one of the most prestigious motor-racing circuits within the United Kingdom. Other victims that the gang claimed to include ICS the organization that offers security services for the U.S. Department of Defense and The Dallas School District and others.
In accordance with the U.S. government’s advisory, the demands for ransom made by Royal range between $1 million and $11 million. However, it’s not clear what amount the operation generated through its victims. The government’s advisory states it is also noted that Royal actors also use double extortion, in which they threaten to release information encrypted if a victim is not able to be able to pay for their ransom.
“In the instances that have been observed, Royal actors do not provide ransom sums or instructions for payment in the initial ransom note” CISA and the FBI warned. “Instead the note that appears after encryption requires the victim to interact directly in direct contact with the attacker using the .onion URL” refers to Royal’s websites on the dark internet.
CISA along with the FBI has published information about Royal Ransomware indications of compromise as well as the strategies, methods, and protocols They claim to were discovered through FBI security operations up to January 2023. The agencies have provided advice to U.S. organizations to apply mitigations and notify any ransomware-related incidents. The advice states it is the case that CISA along with the FBI is not in favor of paying ransoms.