The Health Sector Cybersecurity Coordination Center (HC3) has identified two advanced and hostile ransomware operations, Blackcat and Royal, that pose a major risk to the healthcare and public health (HPH) sector. They have shared this threat intelligence to help protect the sector. In 2021 and early 2022, Conti, a large and highly organized ransomware-as-a-service (RaaS) operation, was a major player in the ransomware threat landscape. However, the group disbanded in 2022. Although the Conti RaaS is no longer active, its members still are, just in smaller, semi-autonomous and autonomous ransomware operations. These operations are more difficult to trace and draw less attention from law enforcement due to their agility.
In November 2021, BlackCat ransomware, also known as AlphaV, was first spotted. It is thought to be the successor of Darkside/BlackMatter ransomware, with the BlackCat admin speculated to be an ex-member of the notorious REvil malware group. BlackCat is a ransomware-as-a-service (RaaS) that uses a triple extortion method, which encompasses data theft, file encryption, and DDoS (Distributed Denial of Service) attacks. Should victims not pay the ransom or end the negotiations, the hackers then leak the stolen data on their data leak site and carry out a DDoS attack. HC3 has noted that BlackCat has a set of operating rules that forbid affiliates from attacking hospitals, medical institutions, and ambulance services. Nevertheless, private clinics and pharmaceutical companies are not off-limits. HC3 has warned that, though the rules are in place, they may not be permanent, as other ransomware gangs have broken similar promises in the past. Despite its size compared to Conti, BlackCat has attacked a high number of organizations, with 60 organizations under attack within the first 4 months of operation. Primarily, the group targets organizations in the United States.
Royal first appeared as a new ransomware threat in early 2022 and is thought to be composed of former members of the Conti group. In September of the same year, they changed their encryptor, and since then have become the most active ransomware operation, surpassing Lockbit. Royal uses double extortion tactics, stealing data and encrypting files, and they threaten to publish that data if their ransom is not paid. The gang poses a threat to the healthcare sector, having conducted numerous attacks on healthcare organizations. This group’s attack methods involve callback phishing, in which emails containing telephone numbers are sent to victims and social engineering is then used to get them to call and grant access. They also use an encryptor disguised as healthcare patient data software which is hosted on seemingly legitimate software download sites. HC3 has released information on Royal’s tactics, techniques, and procedures, as well as Indicators of Compromise (IoCs), Yara rules, and recommended mitigations in order to help network defenders protect against attacks from both Royal and BlackCat.