HC3 Reveals Information on BlackCat and Royal Ransomware Campaigns

The Health Sector Cybersecurity Coordination Center (HC3) has provided threat information on two advanced and aggressive ransomware groups, the Blackcat and Royal. Both present a considerable risk to the healthcare and public health (HPH) sector.

From 2021 to the beginning of 2022, the Conti ransomware-as-a-service (RaaS) operation dominated the ransomware threat landscape; nevertheless, the operation was shut down in 2022. Although the Conti RaaS does not operate using that name now, the group members remain active although are scattered throughout a number of smaller semi-independent and independent ransomware groups. These small ransomware operations are more flexible, more difficult to monitor and get less attention from the police authorities.

The BlackCat ransomware group, also called AlphaV, was initially discovered in November 2021 and is thought to be the replacement to Darkside/BlackMatter ransomware. The BlackCat admin is thought to be a previous member of the well-known REvil threat gang. The BlackCat RaaS operation uses triple extortion, engaging in data theft, encryption of files, and denial of service (DDoS) attacks. The group exposes the stolen data on its data leak website and launches DDoS attacks if it does not receive ransom payments. The group mainly attacks companies in the United States.

In contrast to a number of ransomware operations that encourage attacking the healthcare industry, BlackCat’s operating rules forbid affiliates to attacks hospitals, medical organizations, and ambulance providers, though pharmaceutical firms and private clinics aren’t restricted. HC3 has cautioned that although there are operating guidelines, they aren’t absolute, and ransomware groups that have equally forbidden attacks on healthcare companies have not done so in past times. Although the operation is considerably smaller compared to Conti, the group has performed a lot of attacks, including on 60 companies in the initial 4 months of its operation.

Royal is a new ransomware group that was first seen executing attacks in the beginning of 2022. The group is likewise thought to involve ex – Conti members. At first, Royal utilized an encryptor similar to BlackCat’s, then used its own encryptor on September 2022. Royal is currently the ransomware operation that is most active, having overtaken Lockbit. Royal uses double extortion strategies including stealing data, encrypting files and threatening to post stolen information when no ransom is paid. Just like Conti, Royal is regarded to perform callback phishing attacks to acquire preliminary access to systems. Callback phishing begins with a harmless email that contains a phone number, and social engineering techniques are employed to persuade the victim to contact the supplied number and give access to their device. The Royal group is likewise identified to carry out attacks utilizing an encryptor that disguises as healthcare patient information software stored on legit-looking software download websites. As opposed to BlackCat, the healthcare sector is not restricted, and a number of attacks were done on healthcare companies. As a result, Royal presents a considerable threat to the HPH industry

HC3 provided comprehensive data for system defenders on the tactics, techniques, and procedures employed by the two operations, together with Indicators of Compromise (IoCs), Yara regulations, and proposed mitigations.