U.S. government warns of Royal ransomware attacks against critical infrastructure

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory Thursday warning vulnerable organizations of an increased threat posed by Royal ransomware.

The guidance is the second warning the U.S. government has issued about Royal ransomware in recent months. In December, the U.S. Department of Health and Human Services (HHS) warned hospitals and organizations in the healthcare sector to stay on alert for Royal ransomware attacks.

The ransomware strain has been involved in a number of recent high-profile incidents, including cyberattacks targeting the Iowa branch of the Public Broadcasting Service, U.S. hospitals, and one of the most popular motor racing circuits in the U.K. It also has a reputation for targeting various critical infrastructure sectors, such as manufacturing, communications, and education, CISA said.

The hackers behind Royal ransomware are reputedly notorious for demanding exorbitant ransoms from their victims, often ranging from $1 million to $11 million in bitcoin. Royal ransomware is also harder than other strains to detect.

In November, Microsoft reported that hackers were creating new methods for deploying the Royal ransomware, such as leveraging Google Ads to redirect users to a site hosting malicious files.

The Royal ransomware group operates globally and consists of experienced hackers who have worked as associates for other ransomware groups, researchers at cybersecurity firm Cybereason said. 

Royal tactics and techniques

Cybersecurity experts say that they have observed hackers using Royal ransomware since September. After gaining access to victims’ networks, hackers usually disable antivirus software and exfiltrate large amounts of data before ultimately deploying the Royal ransomware and encrypting targeted systems.

This ransomware variant has a unique file encryption program that allows hackers to choose a specific percentage of data in a file to encrypt, which helps evade detection, CISA said.

Royal’s ransom note does not typically specify ransom amounts or payment instructions — it requires victims to engage directly with the threat actors via a .onion URL accessible through the Tor browser.

CISA and the FBI listed a number of recommendations for organizations to avoid these types of situations. Tips included using multifactor authentication, keeping software updated, maintaining offline backups, and installing antivirus software on all devices.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.