US government warns Royal ransomware is targeting critical infrastructure

The U.S. government is sounding the alarm about the Royal ransomware operation, which it says has targeted numerous critical infrastructure sectors across the United States.

In a joint advisory released on Thursday, the FBI and U.S. cybersecurity agency CISA said that Royal ransomware has claimed multiple victims in the U.S. and internationally, including manufacturing, communications, education and healthcare organizations.

The warning comes after the U.S. Department of Health and Human Services warned in December that Royal ransomware was “aggressively” targeting the U.S. healthcare sector. Royal’s dark web leak site currently lists Northwest Michigan Health Services and Midwest Orthopaedic Consultants among its victims. 

The Royal ransomware gang was first observed in early 2022. At the time, the operation relied on third-party ransomware, such as Zeon, but has since deployed its own custom ransomware in attacks since September.

The U.S. government warns that after gaining access to victims’ networks — typically via phishing links containing a malware downloader — Royal actors “disable antivirus software and exfiltrate large amounts of data” before deploying the ransomware and encrypting systems.

Security experts believe that Royal comprises experienced ransomware actors from previous operations, noting similarities between Royal and Conti, a prolific Russia-linked hacking group that disbanded in June 2022. 

In November 2022, Royal ransomware was reported to be the most prolific ransomware operation, overtaking Lockbit. Recent data shows that Royal was responsible for at least 19 ransomware attacks in February, behind 51 attacks attributed to LockBit, and 22 attacks linked to Vice Society.

Although most of Royal’s victims are based in the United States, one of its higher profile victims was the Silverstone Circuit, one of the largest motor racing circuits in the United Kingdom. Other victims claimed by the gang include ICS, an organization that provides cybersecurity services to the U.S. Department of Defense, the Dallas School District and others.

According to the U.S. government’s advisory, ransom demands made by Royal vary from $1 million to $11 million, but it is not yet clear how much the operation has made from its victims. The advisory notes that Royal actors also engage in double extortion tactics, whereby they threaten to publicly release the encrypted data if the victim does not pay the ransom.

“In observed incidents, Royal actors do not include ransom amounts and payment instructions as part of the initial ransom note,” CISA and the FBI warned. “Instead, the note, which appears after encryption, requires victims to directly interact with the threat actor via a .onion URL,” referring to Royal’s sites on the dark web.

CISA and the FBI have released known Royal ransomware indicators of compromise and the operations’ tactics, techniques and procedures, which they say have been identified through FBI threat response activities as recently as January 2023. The agencies have advised U.S. organizations to apply mitigations and to report any ransomware incidents. The advisory notes that CISA and the FBI do not encourage paying ransom demands.