CryptocurrencyCyber CrimeHackingInfrastructureIntelligenceLandscapesNational DefenseNational SecurityOSINTSecurityTerrorismWork

CISA & FBI Warn of Ransomware Threats to Critical Infrastructure

The U.S. government is sounding the alarm about the Royal ransomware operation, which it says has targeted numerous critical infrastructure sectors across the United States.

In a joint advisory, the FBI and U.S. cybersecurity agency CISA said that Royal ransomware has claimed multiple victims in the U.S. and internationally, including manufacturing, communications, education and healthcare organizations.

The warning comes after the U.S. Department of Health and Human Services warned in December that Royal ransomware was “aggressively” targeting the U.S. healthcare sector. Royal’s dark web leak site currently lists Northwest Michigan Health Services and Midwest Orthopaedic Consultants among its victims.

The Royal ransomware gang was first observed in early 2022. At the time, the operation relied on third-party ransomware, such as Zeon, but has since deployed its own custom ransomware in attacks since September.

The U.S. government warns that after gaining access to victims’ networks — typically via phishing links containing a malware downloader — Royal actors “disable antivirus software and exfiltrate large amounts of data” before deploying the ransomware and encrypting systems.

According to the U.S. government’s advisory, ransom demands made by Royal vary from $1 million to $11 million, but it is not yet clear how much the operation has made from its victims. The advisory notes that Royal actors also engage in double extortion tactics, whereby they threaten to publicly release the encrypted data if the victim does not pay the ransom.

“In observed incidents, Royal actors do not include ransom amounts and payment instructions as part of the initial ransom note,” CISA and the FBI warned. “Instead, the note, which appears after encryption, requires victims to directly interact with the threat actor via a .onion URL,” referring to Royal’s sites on the dark web.

CISA and the FBI have released known Royal ransomware indicators of compromise and the operations’ tactics, techniques and procedures, which they say have been identified through FBI threat response activities as recently as January 2023. The agencies have advised U.S. organizations to apply mitigations and to report any ransomware incidents. The advisory notes that CISA and the FBI do not encourage paying ransom demands.

From The Shadows Emerges Knowledge