The U.S. Department of Health and Human Services (HHS) has issued a new advisory to warn healthcare organizations about ongoing attacks by the Royal ransomware gang. The advisory mentions that the ransomware group is behind multiple attacks against U.S. healthcare firms.


The HHS highlights that the ransomware has been quickly ramping up its activity since it first appeared in September. 
  • Given its historical nature of victimizing the healthcare community, Royal should be considered a threat to the Healthcare and Public Health Sector (HPH). 
  • The group primarily appears to be focused on organizations in the U.S. and has claimed to have published 100% of data stolen from the victims. 
  • The ransomware is known to make steep ransom demands, ranging between $250,000 and $2000,000.

Attack tactics

While most of the ransomware operators are known for following the RaaS model, Royal appears to be a private group without any affiliates while maintaining financial motivation as their goal. 
  • Once a network is compromised, the operators deploy Cobalt Strike to maintain persistence, harvest credentials, and move laterally across the network. 
  • It leverages RDP and known vulnerabilities to gain access to the target’s systems.
  • The group has also replaced BlackCat’s encryptor with Zeon to generate a ransomware note.
  • The ransom note includes a README.TXT and a link to the victim’s private negotiation page. Later, this note was changed to Royal in September.

Other noteworthy observations

  • Although the Royal ransomware is just two months old, the operators have been observed improving the tactics.
  • One of these unique tactics is callback phishing attacks. To lure victims, the group impersonates food delivery and software providers, urging potential victims to renew their subscriptions.


Organizations must focus on strengthening their security defenses by implementing multifactor authentication, keeping operating systems up to date, and maintaining offline backups. Additionally, they must stay updated about the IoCs, and TTPs used by the group to mitigate attacks.
Cyware Publisher