Roundup: Royal warning, RansomHouse strikes and DoppelPaymer assets seized
Photo: hitesh choudhary/Pexels
The U.S, Federal Bureau of Investigation and European partners have shared warnings and announced coordination on ransomware investigations linked to at least one patient fatality. Meanwhile, Barcelona hospitals brace for the impacts of a new cyberattack.
Royal ransomware actively targeting U.S. hospitals and health systems
The FBI and the Cybersecurity and Infrastructure Security Agency released a joint cybersecurity advisory on March 2 on known Royal ransomware indicators of compromise and tactics observed as recently as January 2023.
This ransomware gang is actively targeting U.S. hospitals and health systems, according to John Riggi, the American Hospital Association's national advisor for cybersecurity and risk.
Actionable IOCs in the alert should be loaded into network defenses as soon as possible, he said on LinkedIn on Friday evening.
Royal ransomware relies on phishing, remote desktop protocol compromise, public-facing applications exploits and the use of stolen virtual private network credentials purchased from third-party brokers, according to the joint CSA.
FBI and CISA said they believe Royal's custom-made file encryption program evolved from earlier iterations that used Zeon as a loader.
After getting in, cyber actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems.
"Since approximately September 2022, cybercriminals have compromised U.S. and international organizations with a Royal ransomware variant," the agencies said.
Royal actors have targeted numerous critical infrastructure sectors including healthcare, communications and others. Ransom demands have ranged from $1 million to $11 million to be paid in Bitcoin.
Royal actors do not initially include ransom amounts and payment instructions, the agencies say they have observed. "Instead, the note, which appears after encryption, requires victims to directly interact with the threat actor via a .onion URL (reachable through the Tor browser)."
RansomHouse diverts patient care in Barcelona
RansomHouse shut down computers at the Hospital Clinic de Barcelona facility's laboratories, emergency room and pharmacy at three main centers and several external clinics on Sunday, according to the Associated Press.
The attack, which officials say was launched from outside of Spain, has caused the diversion of urgent cases, 150 nonurgent operations and approximately 3,000 scheduled appointments.
Healthcare system officials have said they do not know when systems – including access to patients' records and communications systems – will be back up.
RansomHouse appeared with threat actors publishing evidence of stolen files and leaking the data of organizations that refuse to make a ransom payment, according to Bleeping Computer in May.
"The new operation claims not to use any ransomware and instead focuses on breaching networks through alleged vulnerabilities to steal a target's data," according to the report.
The cybercriminals have blamed victims for improper network security and the small bug bounty rewards offered for vulnerability disclosures.
Segi Marcén, Catalonia's regional government telecommunications secretary, told the AP that the hackers hadn’t made any ransom demands as of this morning, but if they do no ransom will be paid.
Europol, FBI and others investigate DoppelPaymer suspects
Europol announced that on February 28, German Regional Police and Ukrainian National Police, with its support, as well as that of the FBI's and the Dutch Police, raided the house of a German national suspected of a major role in large-scale cyberattacks by the DoppelPaymer ransomware group. They interrogated a Ukrainian national believed to be a member.
Investigators are currently analyzing seized equipment from three locations, two in Ukraine.
This ransomware gang relies on a double extortion scheme using a leak website it launched in 2020, and German authorities are aware of 37 victims, according to the announcement.
"One of the most serious attacks was perpetrated against the University Hospital in Düsseldorf," said Europol.
In the U.S., victims paid at least 40 million euros between May 2019 and March 2021, Europol says, and DoppelPaymer is suspected of a major attack on Düsseldorf University Hospital.
In 2020, widespread server encryption at the hospital required patients to be moved to other facilities, resulting in the death of a critically-ill woman who died before she could be treated.
AHA advocates for prioritizing ransomware attacks against hospitals as threat-to-life crimes. It implores the federal government to use its capabilities to dismantle ransomware organizations wherever they are.
"We will continue to work both to prevent these attacks and to provide support to victims who have been targeted," U.S. Attorney General Merrick Garland said in January, when the FBI announced it had disrupted the Hive ransomware group, sparing hospitals from attacks.
"And together with our international partners, we will continue to disrupt the criminal networks that deploy these attacks," he had pledged.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.