cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

US Office of Information Security details 2 ransomware threats facing US health system

As we’ve often reported, ransomware is a growing threat worldwide. The Office of Information Security in the United States has been monitoring two particular prevalent ransomware suites and addressed the dangers they present to the country’s health system.

user icon David Hollingworth
Wed, 18 Jan 2023
US Office of Information Security details 2 ransomware threats facing US health system
expand image

Royal ransomware has been seen in operation with several threat actors since early 2022, with nearly 50 per cent of attacks affecting organisations in the United States, with Brazil not far behind.

The operators behind the software are cyber crime veterans, some of whom were once associated with Conti Team One, a group that also targets healthcare professionals and organisations.

Like other ransomware, such as BianLian, it creates encrypted files using its own name as a file extension — .royal or .royal w — and then adds a text file ransom note.


“Most likely what happened is you decided to save yourself some money on your security infrastructure,” one of the notes reads. “Alas, as a result your critical data was not only encrypted but also copied from your systems on a secure server.”

In this manner, the ransomware operators can not only demand a ransom but can then threaten to publish the data online if not appeased.

The ransomware is deployed via a number of vectors, including Google ads to hide among regular ad traffic, and since October 2022, has infiltrated networks by impersonating healthcare data.

It is also known to appear as installers for chat suites such as Zoom and Teams.

“Once applications are launched, BATLOADER uses MSI Custom Actions to launch malicious PowerShell activity and to run batch scripts attempting to disable security solutions, delivering encrypted malware payloads,” the report states.

The BATLOADER itself is hosted on sites that look like legit websites, such as One Drive and GitHub.

BlackCat ransomware, on the other hand, has been around since late 2021, when it compromised 60 organisations in four months. Its operators use a triple extortion method — not only do they demand a ransom to decrypt data and threaten to publish it online if a ransom demand is not met, but they also threaten victims with DDOS attacks.

It also operates as ransomware-as-a-service.

BlackCat has attacked organisations largely in the United States, but a small number of attacks have also taken place in Canada and the UK. Six attacks were detected by Trend Micro between 1 December 2021 and 30 September 2022 in Australia.

While Royal focuses largely on Windows systems, BlackCat seems much more versatile. It has targeted systems as diverse as Windows, ESXI, Debian, and Ubuntu, while also targeting the operating systems of dedicated storage devices from ReadyNAS and Synology.

And where Royal infiltrates its victims by pretending to come from a legitimate source, BlackCat aims to obfuscate itself by terminating a range of processes on targeted networks.

BlackCat also shares some similarities with BlackMatter and LockBit ransomware, which suggests there may be some cooperation between their operators.

The Office of Information Security (OIS) does note that BlackCat’s operators seem to have some ethical boundaries.

“We do not attack state medical institutions, ambulances, hospitals,” the group has said, according to the OIS. “This rule does not apply to pharmaceutical companies, private clinics.”

Which, we are sure, makes those private clinics feel much better about being targeted.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.