FBI and CISA Issue Alert on Royal Ransomware Attacks

CISA and the FBI have issued a joint advisory highlighting the increasing threat behind ongoing Royal ransomware attacks targeting many U.S. critical infrastructure sectors, including healthcare, communications, and education. The alert arrived roughly three months after the U.S. Department of Health and Human Services warned organizations in the healthcare sector of the risks associated with Royal ransomware.

Takeaway: The CISA/FBI advisory regarding Royal ransomware gang targeting critical infrastructure - particularly the healthcare sector - follows closely similar guidance from HHS on Cl0p ransomware attacks a few weeks ago. Both ransomware families display advanced security evasion and anti-analysis capabilities that can hinder both detection and investigation in emulated environments such as sandboxing and virtual machines. We see ransomware operators continue to advance their tactics, techniques, and procedures (TTPs) to improve infection vectors, stealth and lateral movement on the targeted network, and in the efficacy of their payloads.  

Ransomware gangs like Royal continue to invest heavily in recruiting and retaining new talent, expanding their operations and capabilities at an astounding pace. While some research indicates there has been a decrease in the volume of ransomware attacks in the period following the Russian invasion of Ukraine, the attacks that are being seen tend to be more disruptive to operations and are generating more illicit income for the attack groups than ever before.  

Ransomware attacks are the biggest threat facing every organization today, and healthcare providers have been hit particularly hard. Attackers have significantly advanced their ability to quietly infiltrate large portions of a target's network in order to demand a higher ransom payout and exfiltrate sensitive data to be used as additional leverage to get the victims to pay. Healthcare and other critical infrastructure providers are a favorite target for ransomware attacks given they typically have the least amount of resources to dedicate to security, the networks are often composed of older legacy components, and any downtime is extremely disruptive.  

A robust defense is key, but resilience is what will ensure critical operation stay up and running even in the event of a ransomware attack. A strong prevention and resilience strategy to defend against ransomware attacks includes:

• Endpoint Protection (EPP): Deploy an anti-ransomware solution alongside existing Endpoint Protection Platforms (EPP/DR/XDR) to bridge the gaps in ransomware-specific coverage
• Patch Management: Keep all software and operating systems up to date and patched
• Data Backups: Assure critical data is backed up offsite and protected from corruption in the case of a ransomware attack (backups)
• Access Control: Implement network segmentation and policies of least privilege (Zero Trust)
• Awareness: Implement an employee awareness program to educate against risky behaviors, phishing techniques, etc.
• Resilience Testing: Regularly test solutions against simulated ransomware attacks to assure effective detection, prevention, response, and full recovery of targeted systems
• Procedure Testing: Plan and prepare for failure by running regular tabletop exercises and ensuring all stakeholders are ready and available to respond to an attack at all times

The detection/prevention side of the cyberattack equation is important, but organizations also have to prepare for failure by assuring they can quickly and decisively respond to a successful ransomware attack so any potential disruption to operations are kept to a minimum.

‍