New Threats: BlackCat, Royal Among Most Worrisome Threats to Healthcare

Both Ransomware Groups Pose Serious Concerns to Sector, Warns HHS HC3

The U.S. government is warning that Healthcare entities should be on high alert for signs of the new BlackCat and Royal ransomware-as-a-service groups.

On January 12th, the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center issued a threat brief that warns that BlackCat conducts triple extortion, meaning it doesn’t just encrypt data and demand an extortion payment, but also threatens to leak the data and conduct distributed denial-of-service attacks against victims if they don’t pay up. Royal hews to the now more traditional double-extortion method of demanding a ransomware payment backed with the threat of a data breach.

The groups have roots in earlier ransomware groups including Darkside, BlackMatter, REvil, and Conti Team One.

According to security researchers, Royal is a particularly nasty strain of ransomware and features a significant number of evasion techniques.

BlackCat Threats
“BlackCat tooling is constantly changing as they cycle through testing/usage, updating their arsenal frequently,” the alert says.

Security researchers have also found BlackCat attackers using a PowerShell command to download Cobalt Strike beacons on some affected systems, as well as the pen-testing tool Brute Ratel, which has “Cobalt Strike-like remote access features”.

BlackCat uses two encryption algorithms — ChaCha20 and AES — and six encryption modes, including Full, HeadOnly, DotPattern, SmartPattern, AdvancedSmartPattern and Auto.

BlackCat’s latest ransomware is written in the memory-safe, multiplatform language Rust.

Royal Threats
Royal was also the subject of a separate HHS HC3 security alert in December that cautioned the healthcare care sector of surging ransomware attacks across the globe, with U.S. entities a top target.

The new HHS HC3 alert says that in September, researchers observed that Royal’s developers had deployed an encryptor called Zeon. HC3 says the group later renamed its encryptor Royal. The ransomware deletes all shadow copies that provide point-in-time copies of a file, the alert says.

Ransom demands in Royal attacks have ranged from $250,000 to more than $2 million. Royal delivery methods include using Google Ads in a campaign to blend in with normal ad traffic, making malicious downloads appear authentic by hosting fake installer files on legitimate-looking software download sites and using contact forms located on an organization’s website to distribute phishing links.

Protect Your Organization
The good news is that BlackCat and Royal are still using well-known loaders like QBot, and back doors like Cobalt Strike for persistence and command and control. A solid defense-in-depth strategy designed to detect these sorts of common techniques and make lateral movement difficult will be effective in preventing the operations of these actors in the network.

Network segmentation, egress filtering, and separation of privileges will provide additional layers of protection as well.

If you have questions about IT security and the threats affecting Healthcare, call ITPAC today.