The U.S. Department of Health and Human Services (HHS) has cautioned of ongoing Royal ransomware attacks targeting healthcare entities in the country.
“While most of the known ransomware operators have performed Ransomware-as-a-Service, Royal appears to be a private group without any affiliates while maintaining financial motivation as their goal,” the agency’s Health Sector Cybersecurity Coordination Centre (HC3) said [PDF].
“The group does claim to steal data for double-extortion attacks, where they will also exfiltrate sensitive data.”
Royal ransomware, per Fortinet FortiGuard Labs, is said to be active since at least the start of 2022. The malware is a 64-bit Windows executable written in C++ and is launched via the command line, indicating that it involves a human operator to trigger the infection after obtaining access to a targeted environment.
Besides deleting volume shadow copies on the system, Royal utilizes the OpenSSL cryptographic library to encrypt files to the AES standard and appends them with a “.royal” extension.
images from Hacker News