CISA Warns That Royal Ransomware Is Picking Up Steam

The Royal ransomware group targeting critical infrastructure in the United States and other countries is made up of experienced ransomware attackers and has strong similarities to Conti, the infamous Russia-linked hacking group, according to a new alert issued by U.S. authorities.

See Also: OnDemand | Navigating the Difficulties of Patching OT

The group is targeting major industries including manufacturing, communications, education and healthcare organizations in the U.S. and other countries, according to a joint advisory from the U.S. Cybersecurity and Infrastructure Security Agency and the FBI.

The attackers appear to be particularly interested in hitting the U.S. healthcare sector, demanding ransoms from $250,000 to over $2 million. “In each of these events, the threat actor has claimed to have published 100% of the data that was allegedly extracted from the victim,” the Department of Health and Human Services said in a security alert in December 2022.

In the latest advisory, CISA warns that Royal ransomware is deployed through phishing mails and is capable of disabling antivirus software. “After gaining access to victims’ networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems,” the alert says.

CISA says the TTPs and IOCs related to the ransomware are similar to those of Conti, the infamous Russia-linked hacking group that disbanded in May…