How Royal Ransomware Could Wreak Havoc on the U.S. Digital Economy
U.S. Cybersecurity Agency Warns People of Royal Ransomware Group’s Capabilities.
Earlier this year, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an advisory regarding the Royal Ransomware gang.
The Royal Ransomware group first appeared in the United States in September 2022—the U.S. Health and Human Services Cybersecurity Coordination Center issued a security alert to all healthcare organizations. Healthcare is one of Royal’s primary ransomware attack vectors, with healthcare victims already listed on the dark web.
How does the attack usually happen? Basically, when Royal threat actors access victims’ networks, they first disable their antivirus software and then proceed to exfiltrate large amounts of data before deploying the ransomware and encrypting their systems.
Known as Zeon, the custom ransomware program has targeted U.S. and international organizations since September 2022.
Furthermore, Trend Micro disclosed in December 2022 that it is operated by seasoned threat actors who used to be part of Conti. These ransomware groups often use callback phishing attacks to deliver their ransomware to victims, a technique widely used by criminal groups that splintered from Conti last year.
Several critical sectors, including communications, education, healthcare, and manufacturing, are targeted by Royal, with ransom demands ranging from $1 million to $11 million.
The Royal ransomware gang uses a unique intermittent encryption approach, allowing the threat actor to choose a specific percentage of a file to encrypt.
This approach enables the threat actor to lower the encryption percentage for bigger files, which helps evade detection.
Cobalt Strike and PsExec are also used for lateral movement and shadow copy deletion to prevent system recovery. In addition, data aggregation and exfiltration are also carried out with Cobalt Strike.
How Can Heimdal® Help?
As with most ransomware attacks, Heimdal provides its customers with an exceptional integrated cybersecurity suite, including Ransomware Encryption Protection, which is universally compatible with any antivirus solution and 100% signature-free, ensuring superior detection and remediation of all types of ransomware.
Feel free get a demo and take it for a spin.