On March 2, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), released a joint advisory on Royal ransomware that is still a threat to critical infrastructure, including the healthcare and public health sector (HPH).
The advisory says that “Since approximately September 2022, cyber criminals have compromised U.S. and international organizations with a Royal ransomware variant. FBI and CISA believe this variant, which uses its own custom-made file encryption program, evolved from earlier iterations that used ‘Zeon’ as a loader. After gaining access to victims’ networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems. Royal actors have made ransom demands ranging from approximately $1 million to $11 million USD in Bitcoin. In observed incidents, Royal actors do not include ransom amounts and payment instructions as part of the initial ransom note. Instead, the note, which appears after encryption, requires victims to directly interact with the threat actor via a .onion URL (reachable through the Tor browser). Royal actors have targeted numerous critical infrastructure sectors including, but not limited to, Manufacturing, Communications, Healthcare and Public Healthcare (HPH), and Education.”
That said, “Royal actors gain initial access to victim networks in a number of ways including:
- Phishing. According to third-party reporting, Royal actors most commonly (in 66.7% of incidents) gain initial access to victim networks via successful phishing emails.
- According to open-source reporting, victims have unknowingly installed malware that delivers Royal ransomware after receiving phishing emails containing malicious PDF documents [T1566.001], and malvertising.
- Remote Desktop Protocol (RDP). The second most common vector Royal actors use (in 13.3% of incidents) for initial access is RDP compromise.
- Public-facing applications. The FBI has also observed Royal actors gain initial access through exploiting public-facing applications.
- Brokers. Reports from trusted third-party sources indicate that Royal actors may leverage brokers to gain initial access and source traffic by harvesting virtual private network (VPN) credentials from stealer logs.”
In January, we reported that the Health Sector Cybersecurity Coordination Center (HC3) published a threat brief on Royal and BlackCat Ransomware. The groups were the latest to target the U.S. healthcare sector and are considered two of the more recent sophisticated ransomware threats.
Three main actions that are suggested in the advisory that organizations can take today to mitigate cyber threats from ransomware include:
- Prioritize remediating known exploited vulnerabilities
- Train users to recognize and report phishing attempts
- Enable and enforce multifactor authentication
Additional mitigations that organizations can take include
Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented location
- Require all accounts with password logins to comply to National Institute for Standards and Technology (NIST) standards
- Require multifactor authentication for all services to the extent possible
- Keep all operating systems, software, and firmware up to date
- Segment networks
- Investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool
- Install, regularly update, and enable real time detection for antivirus software on all hosts
- Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts
- Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege
- Disable unused ports
- Consider adding an email banner to emails received from outside your organization.
- Implement time-based access for accounts set at the admin level and higher
- Disable command-line and scripting activities and permissions
- Maintain offline backups of data, and regularly maintain backup and restoration
- Ensure all backup data is encrypted, immutable and covers the entire organization’s data infrastructure