CISA Warns That Royal Ransomware Is Picking Up SteamUS Agency Says Royal Ransomware Group Is Made Up of Experienced Threat Actors
The Royal ransomware group targeting critical infrastructure in the United States and other countries is made up of experienced ransomware attackers and has strong similarities to Conti, the infamous Russia-linked hacking group, according to a new alert issued by U.S. authorities.
The group is targeting major industries including manufacturing, communications, education and healthcare organizations in the U.S. and other countries, according to a joint advisory from the U.S. Cybersecurity and Infrastructure Security Agency and the FBI.
The attackers appear to be particularly interested in hitting the U.S. healthcare sector, demanding ransoms from $250,000 to over $2 million. "In each of these events, the threat actor has claimed to have published 100% of the data that was allegedly extracted from the victim," the Department of Health and Human Services said in a security alert in December 2022.
In the latest advisory, CISA warns that Royal ransomware is deployed through phishing mails and is capable of disabling antivirus software. "After gaining access to victims' networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems," the alert says.
CISA says the TTPs and IOCs related to the ransomware are similar to those of Conti, the infamous Russia-linked hacking group that disbanded in May 2022.
First spotted in September 2022, Royal ransomware is designed to target 64-bit Windows systems, security experts say. Files crypto-locked by the malware have
.royal appended to their filenames.
Although most of Royal's victims are based in the United States, one of its higher-profile victims was the Silverstone Circuit, one of the largest motor racing circuits in the United Kingdom. Other victims claimed by the gang include ICS, which provides cybersecurity services to the U.S. Department of Defense; the Dallas School District; and others.
In November 2022, Microsoft reported that a threat dubbed DEV-0569 was delivering the Royal ransomware. In Microsoft nomenclature, "DEV" refers to a developing group about which little is known.