This brand new ransomware gang is on the attack and, despite them being new to the game, are coming out of the gate attacking the healthcare sector and asking for millions in ransom.

The Health and Human Services’ Health Sector Cybersecurity Coordination Center (quite the mouthful, which is probably why they simply go by the name HC3 released an analyst note last week discussing recent attacks by Royal ransomware against the Healthcare and Public Healthcare (HPH) sector.

According to the note, Royal is not operating in an “as a Service” model, meaning they are keen to take 100% of all ransoms collected – which currently range from $250K to over $2 million. They are focused primarily at hospitals and other healthcare organizations within the United States, using data exfiltration, double extortion tactics to ensure payment, and publishing 100% of all data stolen.

Royal uses a particular set of initial attack methods, including embedding malicious links in malvertising, phishing emails, fake forums, and blog comments – all leveraging the value of social engineering to trick victims into engaging with their malicious content. This kind of trickery is addressed through Security Awareness Training which teaches corporate users how to maintain vigilance – even when interacting with what appears to be a normal email or webpage – and elevate the security stance of the organization by doing so.