Wednesday, January 4, 2023

A New Threat Attacks the US Healthcare Sector - Royal Ransomware

In the world we now exist in, security is simply part of what we have to deal with.  Along those lines, I try to do my part to keep others in the healthcare sector apprised of potential threats.  Today's post deals with a new potential threat.

I do my best to try and keep up with all things techy, but it isn't always easy, especially when it comes to security.  So my initial apologies to readers for this info being out for about a month and escaping my notice.

I recently became aware of an announcement by the Department of Health and Human Services (HHS) regarding a new ransomware referred to as "Royal".  One of the responsibilities of HHS is to help the healthcare sector stay informed of security threats.  To help in that regard, the agency has a division called Health Sector Cybersecurity Coordination Center (H3C).  

On December 3, 2022 the H3C released an "analyst note" regarding a new ransomware group and a new ransomware threat called "Royal".  Each ransomware variant is unique so while the end result of encrypting a victim's data is the same, the way it is performed is specific to the software doing so.  Royal is designed to attach Windows systems.  The ransomware encrypts the user data, but before that, the perpetrators will copy and export all kinds of files in hopes to also provide blackmail motivation by threatening to post the data online. 

While I am by NO means an expert in the subject of ransomware, I do know enough to be aware of the problems these things can cause.  To that end, make sure to keep your systems up to date with all available software patches and do not open any email attachments without verifying their authenticity.

The H3C "Analyst Note", in pdf format, can be accessed via this link.  If you are so inclined to learn more about Royal, there are some links in that pdf that will connect you to some security expert websites that will give you plenty of info.

1 comment:

  1. Ugh. Windows environments.
    Keep your Eaglesoft database secure.
    Don't run *anything* on your server other than Eaglesoft, and AV. Don't sign in to it and don't touch it other than to do Windows Updates and Eaglesoft upgrades. Don't install 3rd-party patient analytics/communication tools--use a different machine for them.

    Most importantly, turn off the Eaglesoft "everyone full control" fileshare that contains the database. Point your x-ray images and SmartDocs data somewhere else. Preferably a non-Windows NAS that can do intelligent stuff. Monitor all file access for patterns of Cryptolocker. Should there be .HTML or .TXT files created in your SmartDocs folder? Nope. What should file traffic look like? Almost entirely reads. Sure signs of Cryptolocker if you're seeing a bunch of folder scans and writes. There are a lot of attributes of malicious access that simply can't be changed. Monitor it and act accordingly. Act automatically. Did an IP on your network just write DECRYPT_INSTRUCT.txt to your data folder? Ban that IP in all your firewalls, disable the switch port, page admins, etc... ;)