On Jan. 12, the Health Sector Cybersecurity Coordination Center (HC3) published a threat brief on Royal and BlackCat Ransomware. The groups are the latest to target the U.S. healthcare sector and are considered two of the more recent sophisticated ransomware threats.
Royal Ransomware was first observed in early 2022 and is believed to have experienced operators that previously belonged to other cybercriminal groups, including Conti Team One. The U.S. is the most targeted country for Royal Ransomware. The group uses a 64-bit executable, writes in C++, and encrypts files and appends “.royal” or “.royal.w” extensions to filenames and creates a “README.TXT” type ransom note.
The threat brief says that “Royal ransomware is a significant threat to the Healthcare and Public Health (HPH) sector due to the group victimizing the healthcare community. Royal appears to be a private group without any affiliates, maintaining financial motivation as their goal. Ransom demands range from $250,000 to over $2 million USD. The group will conduct methods seen from other operations, including deploying Cobalt Strike for persistence, harvesting credentials, and moving laterally through a system until files are encrypted.”
Key findings, according to the threat brief, for Royal Ransomware include:
- A distinctive approach to evade anti-ransomware defenses
- Multi-threaded ransomware
- Global ransomware operation
- Various methods of deployment
BlackCat Ransomware, also called ALPHV, AlphaVM, Noberus, Coreid, FIN7, and Carbon Spider, was first detected in November of 2021. The FBI reported that they compromised at least 60 victims in four months. The group writes in Rust, is highly adaptable, and operates as ransomware-as-a-service. The group conducts trip extortion and is believed to be a successor for the group Darkside/BlackMatter and is recruiting from REvil. BlackCat posts searchable data on the open web to increase leak pressure and says that “We do not attack state medical institutions, ambulances, hospitals. This rule does not apply to pharmaceutical companies, private clinics.” Yet, the threat brief says that cybercriminal gangs have broken promises to not attack healthcare in the past.
The threat brief notes that “It’s believed that BlackCat can support (and is capable
of targeting) the following operating systems:
- Windows, 7 to 11, as well as Server 2008r2, 2012, 2016, 2019, 2022 (XP and 2003 can be encrypted over Server Message Block
- ESXI (at least versions 5.5, 6.5, 7.0.2u)
- Debian (at least versions 7,8 and 9)
- Ubuntu (at least versions 18.04 and 20.04)
Mitigations and defense, according to the FBI, include reviewing domain controllers, servers, workstations, and active directories for unrecognized user accounts; regularly backing up data, air gap, and password protecting backup copies offline; reviewing task scheduler for unscheduled tasks; reviewing antivirus logs; and implementing network segmentation.