Ransomware Operators Continue to Aggressively Target US Healthcare Sector

January 16, 2023 - The Health Sector Cybersecurity Coordination Center’s (HC3) latest brief outlines the tactics and exploitation techniques used by Royal ransomware and BlackCat ransomware, two threats that ransomware operators have been using to aggressively target the US healthcare sector.

HC3 has previously warned the sector about both Royal and BlackCat in previous briefs and analyst notes, but its latest brief dives into more detail regarding their past activity and impact on the healthcare sector.

ROYAL RANSOMWARE

HC3 described Royal ransomware as a “relatively new, but highly capable” threat to the healthcare sector. First observed in 2022, Royal is the ransomware of choice for some experienced operators, including those who previously took part in Conti ransomware operations.

Royal is written in C++ and targets Windows systems. Notable attacks for the group include an attack against Silverstone Circuit, a popular racing circuit in the UK, and one against an unnamed US telecom organization in December 2022. The December attack resulted in compromised employee passports and driver’s licenses.

“Royal Ransomware operations start in various ways, including through phishing campaigns using common cyber crime threat loaders, such as BATLOADER and QBot,” the brief stated.

“Following initial infection, Royal often leverages Cobalt Strike, QBot and BlackBasta for multistage attacks.”

Royal is a financially-motivated group and has a history of victimizing the healthcare sector. It is known to use Google Ads to blend in with normal ad traffic, leverage contact forms on an organization’s website to deploy phishing links, and disguise malicious downloads as legitimate-looking.

HC3’s brief also provided a detailed technical analysis and a copy of the group’s typical ransomware note.

BLACKCAT RANSOMWARE

BlackCat ransomware was first detected in November 2021 and compromised at least 60 victims in just four months, according to the FBI. The group is suspected to be a successor of the notorious Darkside/BlackMatter groups.

The group has stated that it does not attack state medical institutions, hospitals, and ambulances. However, it is not against targeting private clinics and pharmaceutical companies. What’s more, many cybercriminal groups are not above breaking their own promises.

“It is exceptionally capable and is believed to be operated by individuals with significant experience as cyber criminals, who have extensive relationships with other significant players throughout the cybercriminal ecosystem,” HC3 previously noted.

“BlackCat is known to have targeted the healthcare and public health (HPH) sector and is expected to continue. The HPH should take this threat seriously and apply appropriate defensive and mitigative actions towards protecting their infrastructure from compromise.”

BlackCat leverages two encryption algorithms and six encryption modes. The latest brief also noted that “BlackCat tooling is constantly changing as they cycle through testing/usage, updating their arsenal frequently.”

RANSOMWARE MITIGATIONS

No matter the ransomware variant, healthcare organizations can employ basic security measures to defend against cyberattacks.

The brief recommended that organizations utilize the Cybersecurity and Infrastructure Security Agency’s (CISA) Free Cybersecurity Services and Tools. In addition, organizations should implement reliable recovery plans, network segmentation, and multi-factor authentication (MFA).

Organizations should also regularly back up data, review antivirus logs, disable unused Remote Desktop Protocol (RDP) ports, and configure user accounts with least privilege in mind.

Basic cyber hygiene and employee education can also go a long way in preventing ransomware attacks and mitigating risk.