At the end of last week, the Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency issued a joint warning about dangers associated with the Royal Ransomware gang.
This is not the first time a federal institution has sounded the alarm on Royal. Back in December, the Department of Health and Human Services warned healthcare providers about the ransomware group’s attacks on the healthcare sector.
In the most recent alert about the group, the FBI and CISA said that Royal is beefing up its operations and expanding its scope beyond just healthcare providers — with the manufacturing, education and communications industries all believed to be additional targets.
Since approximately September of last year, cybercriminals have been using a Royal ransomware variant to compromise organizations across the U.S., many of which have been healthcare providers.
After obtaining access to an organization’s network, Royal members disable antivirus software. The cybercriminals then “exfiltrate large amounts of data” before deploying ransomware and encrypting their victims’ systems, the FBI and CISA said in their warning.
One cybersecurity expert, Hüseyin Can Yuceel, said healthcare providers and other companies should view Royal as a formidable threat. Yuceel is a security researcher at Picus Security, a company that simulates the cyberattacks of ransomware gangs like Royal so that organizations can better protect themselves.
“This is a timely advisory, given Royal Ransomware’s rapid ascent to prominence,” he said in a statement. “From the ashes of Conti, this group is emerging as one of the most active and dangerous ransomware gangs in the world today, and now they have expanded their scope beyond healthcare targets.”
Conti, an infamous ransomware group, disbanded in May due to internal disagreements over the Russian-Ukrainian conflict. Some ex-Conti members regrouped to form Royal, according to Yuceel. He said that the number of attacks and ransomware variants that Royal has been able to develop in a short period of time has put them alongside other notorious groups like LockBit.
Royal has made ransom demands ranging from about $1 million to $11 million in Bitcoin. But the group does not include ransom amounts and payment instructions as part of its initial ransom notes, the warning stated. Instead, the ransom note requires victims to directly interact with a Royal member via a secure URL that they can reach through the encrypted Tor browser.
“The number of Royal ransomware attacks increased significantly in the last six months, and their impact is on par with their predecessor, Conti,” Yuceel declared. “ They have the potential to be one of the biggest players in the ransomware scene, considering that they do not use the ransomware-as-a-service business model. They also adopt newer techniques at a rapid pace.”
Photo: anyaberkut, Getty Images