The Royal ransomware group has been targeting different sectors across the country and abroad. Among its victims are health care, education, communications, and manufacturing organizations.
How the Royal Ransomware Gang Operates
According to the FBI and CISA, Royal actors use phishing links to access an organization's
network. These links carry a malware downloader. The cyber threat actors then disable the
network's antivirus software, extract large amounts of data, and encrypt systems.
Other than phishing links, the Royal ransomware gang also uses these other tools to get into an organization’s network, including:
Royal Ransomware Made Rounds Since 2022
The Royal ransomware gang first made rounds in early 2022. It used third-party ransomware like Zeon when it started. But it has since created its own ransomware and has been using it since September. It also uses other malicious tools to gather information and keep victims from restoring their data.
In December, the U.S. Department of Health and Human Services announced that Royal
ransomware targeted the health care sector. Royal's leak page on the dark web listed two health care service providers as victims.
Royal actors had also made ransom demands in Bitcoin. These demands range between $1
million and $11 million. The ransom notes do not state ransom amounts and payment details. But these contain instructions on how to contact the group.
Royal Gang Is a Group of Experienced Cybercriminals
Security experts believe that experienced cybercriminals make up the Royal ransomware gang. These cyber threat actors have worked together in previous operations.
Cyber security experts noted similarities between the Royal operation and Conti – a Russian hacking enterprise. Conti disbanded in June 2022, giving rise to several cybercriminal groups. These groups applied the same phishing technique that the Royal gang now uses to deploy its ransomware.
Organizations Should Have a Data Recovery Plan in Place
The U.S. government advises businesses and organizations to have a data recovery plan in place. This plan ensures that organizations won’t lose their data in case Royal ransomware infiltrates their systems. Additionally, organizations can continue their operations in case of a ransomware attack.
A recovery plan includes:
The Bottom Line: Businesses Should Be Ready for Ransomware Attacks
Businesses and organizations could lose all their data, including customers’ personal
information, from a ransomware attack. And this could incapacitate their business or at least disrupt operations. Their customers would also lose trust and confidence in them. As such, businesses and organizations should prepare themselves for possible cyberattacks. It is not enough to put measures in place to prevent it. They should also have a contingency plan in case they fall victim to a cybercrime.