The U.S. government has raised serious concerns regarding the Royal ransomware operation, which is reportedly targeting vital infrastructure sectors across the nation. In a collaborative advisory released on March 3, 2023, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) detailed the alarming trend that has seen numerous organizations in critical areas such as manufacturing, education, healthcare, and communications falling victim to these cyberattacks.
This advisory follows a previous alert in December from the Department of Health and Human Services, which noted that the healthcare sector was under “aggressive” assault from Royal ransomware. Notably, the gang's dark web leak site lists several organizations as victims, including Northwest Michigan Health Services and Midwest Orthopaedic Consultants.
"Royal ransomware has claimed multiple victims in the U.S. and internationally," said a representative from CISA during the advisory's release. This ransomware operation first emerged in early 2022, initially employing third-party strains like Zeon. However, since September 2022, Royal has shifted to using its proprietary ransomware.
%20(1)%20(1).webp)
Experts believe that Royal is comprised of seasoned ransomware actors linked to earlier operations, drawing parallels between Royal and the now-defunct Conti group, a well-known hacking syndicate previously associated with Russia. The stakes are high, as security professionals estimate that Royal was the leading ransomware threat by late 2022, outpacing Lockbit.
Recent data support this claim; Royal was linked to at least 19 ransomware incidents in February 2023 alone, while Lockbit was behind 51 attacks and Vice Society conducted 22 attacks. "Royal actors have shown a distinct capability to exploit vulnerabilities effectively, indicating their significant industry experience," an analyst remarked.
Beyond the U.S., Royal ransomware has also impacted international targets. The Silverstone Circuit in the U.K. stands out as one of its more notable victims. In addition, victims such as the Dallas School District and ICS, a provider of cybersecurity services for the Department of Defense, demonstrate the widespread reach of these attacks.
The ransom demands associated with Royal's attacks range from $1 million to an eye-watering $11 million. However, the actual revenue generated by these operations remains unclear. The advisory highlights that Royal employs double extortion tactics, threatening to publish sensitive encrypted data should their demands go unmet.
"In observed incidents, Royal actors do not include ransom amounts and payment instructions as part of the initial ransom note," CISA and the FBI noted. Instead, victims typically receive a note post-encryption. This note instructs them to engage with the threat actor directly via a .onion URL, which leads to Royal's dark web operations.
CISA and the FBI have proactively released a set of indicators to help organizations identify and mitigate potential compromises associated with Royal ransomware. The persistent threat of ransomware continues to evolve, underscoring the need for continuous vigilance and updated cybersecurity strategies across sectors.
As organizations across various industries assess their defenses and contingency plans, the increasing sophistication of groups like Royal underscores an urgent need for heightened cybersecurity measures. The warning from the U.S. government serves as a stark reminder of the ongoing vulnerabilities faced by critical infrastructures, and the necessity for organizations to remain one step ahead in the ever-changing cyber landscape.