In the second half of 2022, a ransomware operation called Royal began making a name for itself with an unusually aggressive focus on healthcare organizations. By early 2023, the FBI and CISA issued a joint advisory specifically warning about Royal's healthcare targeting. The group wasn't the first to hit hospitals and medical providers, but the frequency and deliberateness of their healthcare focus raised serious alarms.
Royal's origins traced directly back to the Conti ransomware group, and it carried forward Conti's operational expertise — along with an apparent willingness to target the sector where ransomware does the most direct harm to human life.
Origins: Conti's Legacy
Royal ransomware emerged from a Conti sub-group known as "Team 2" or the "Conti splinter." When Conti dissolved in May 2022 following the internal leaks, its operators scattered to several new operations. Royal was one of the primary successors, carrying forward:
- Experienced operators with years of ransomware deployment expertise
- Established relationships with initial access brokers
- Proven intrusion and lateral movement methodologies
- An understanding of which sectors would pay and which would not
The Conti lineage was evident in Royal's operational patterns. The group used many of the same tools and techniques documented in the Conti playbook leaks, adapted for their new brand.
Why Healthcare?
Healthcare's attractiveness as a ransomware target stems from a combination of factors that Royal exploited systematically:
Operational Urgency
Healthcare organizations face unique pressure to restore operations quickly. When ransomware encrypts hospital systems, the impact isn't measured in lost revenue alone — it's measured in delayed surgeries, diverted ambulances, and degraded patient care. Studies have linked hospital ransomware attacks to increased mortality rates in surrounding hospitals due to patient overflow.
This urgency translates directly to willingness to pay ransoms. Healthcare organizations consistently pay at higher rates than organizations in other sectors.
Complex Supply Chains
Modern healthcare runs on interconnected digital systems:
- Electronic Health Records (EHR) linking providers, labs, pharmacies, and insurers
- Medical device networks connecting imaging equipment, infusion pumps, and monitoring systems
- Supply chain management systems coordinating pharmaceutical and supply procurement
- Billing and claims systems processing insurance transactions
Compromising any node in this web can cascade across the healthcare delivery chain. Royal's operators understood this — their attacks frequently targeted systems that connected to broader healthcare networks, maximizing disruption leverage.
Legacy Infrastructure
Healthcare IT environments are notoriously difficult to secure:
- Medical devices often run outdated operating systems that can't be patched
- Regulatory requirements for data retention create large stores of sensitive data
- Budget constraints limit security investments
- The proliferation of connected medical devices expands the attack surface faster than security teams can manage
Regulatory Pressure
HIPAA violations carry significant financial penalties for healthcare organizations that suffer data breaches. This regulatory pressure adds another dimension to extortion — beyond operational disruption, victims face potential regulatory action if patient data is exposed.
Royal's Technical Approach
Royal ransomware was written in C++ and used a combination of AES and RSA encryption. The group developed their own ransomware rather than purchasing or licensing existing tools — a distinction from many RaaS operations and a reflection of the technical talent they retained from Conti.
Initial Access
Royal used multiple initial access vectors:
- Callback phishing: Emails claiming subscription charges with phone numbers to call. When victims called, operators guided them through installing remote access software — effectively tricking victims into granting access themselves
- SEO poisoning: Creating malicious websites that ranked highly for common search terms, distributing malware through fake software downloads
- Exploiting public-facing applications: Targeting VPN appliances, remote desktop services, and web applications
- Initial access broker purchases: Buying pre-established network access from criminal marketplaces
Lateral Movement and Escalation
Once inside a network, Royal operators followed a methodical process:
- Reconnaissance: Mapping the network using tools like ADFind, nltest, and net commands
- Credential harvesting: Using Mimikatz, LaZagne, and other tools to extract domain credentials
- Lateral movement: Using RDP, PsExec, and SMB to move across the network
- Privilege escalation: Targeting domain administrator accounts for maximum access
- Security tool disablement: Using tools like GMER and PowerTool to disable endpoint detection
- Data exfiltration: Stealing data before encryption for double extortion
- Ransomware deployment: Using GPO or scheduled tasks for network-wide deployment
Cobalt Strike and Beyond
Royal relied heavily on Cobalt Strike for command and control, but also employed legitimate remote administration tools including AnyDesk, Atera, and ConnectWise to maintain persistent access. The use of legitimate tools complicated detection — security teams couldn't simply block these applications without impacting business operations.
Notable Healthcare Attacks
Royal targeted healthcare organizations across the spectrum:
- Community hospitals with limited IT resources
- Large health systems with multiple facilities
- Healthcare technology providers and billing companies
- Medical device companies and pharmaceutical distributors
The specific victim list was extensive, with the HHS Health Sector Cybersecurity Coordination Center (HC3) tracking numerous incidents throughout late 2022 and 2023. Ransom demands ranged from $250,000 to over $2 million, calibrated to the victim's perceived ability to pay.
The Rebrand to BlackSuit
In mid-2023, Royal began transitioning to a new identity: BlackSuit. The rebrand maintained the same technical approach and operational patterns but introduced a refreshed ransomware payload with additional capabilities. Analysis of BlackSuit samples confirmed extensive code overlap with Royal, confirming the lineage.
The rebrand followed a common pattern in ransomware — when heat from law enforcement or public attention builds, operators relaunch under a new name while retaining their technical infrastructure and affiliate relationships.
The Healthcare Supply Chain Problem
Royal's healthcare focus highlighted a broader challenge: the healthcare supply chain is deeply interconnected and insufficiently secured.
A single attack on a healthcare technology provider can cascade across hundreds of hospitals and clinics. The 2024 Change Healthcare attack (by BlackCat, not Royal) demonstrated this at massive scale, but Royal's earlier campaign of targeted attacks across the healthcare ecosystem showed the same dynamics at smaller scale — each compromised provider affected patients, partners, and payers across the healthcare chain.
The healthcare sector's challenge is compounded by:
- Vendor interdependencies: Medical equipment vendors, EHR providers, billing services, and pharmaceutical distributors all connect to hospital networks
- Legacy device management: Medical devices with 10-15 year lifecycles running obsolete software
- Data sensitivity: Protected health information (PHI) carries both regulatory and personal privacy implications
- Resource constraints: Healthcare organizations operate on thin margins with limited cybersecurity budgets
Defensive Priorities for Healthcare
Royal's campaign reinforced several defensive priorities specific to healthcare:
Network segmentation for medical devices: Medical devices running legacy operating systems should be segmented from general IT networks, limiting lateral movement paths.
Identity security: Royal's operators consistently targeted Active Directory credentials. Implementing phishing-resistant MFA and monitoring for anomalous authentication patterns can slow or stop lateral movement.
Backup resilience: Offline or immutable backups that cannot be reached from the production network are essential. Royal's operators specifically targeted backup systems.
Third-party access monitoring: Healthcare organizations typically grant network access to dozens of vendors. Each connection is a potential attack path.
How Safeguard.sh Helps
Royal ransomware's systematic targeting of healthcare exposed the sector's software supply chain vulnerabilities — legacy systems, interconnected vendors, and complex dependency chains that are difficult to track manually.
Safeguard.sh brings automated supply chain visibility to environments that need it most. The platform's SBOM generation and dependency tracking provide a clear inventory of every software component in your environment, including the legacy and third-party systems that healthcare organizations struggle to monitor.
By continuously tracking vulnerabilities across your software supply chain and enforcing security policies automatically, Safeguard.sh ensures that the vendor dependencies and legacy components that Royal exploited are identified and managed proactively. When your software supply chain includes hundreds of medical device vendors, EHR integrations, and billing system connections, automated visibility isn't a luxury — it's a requirement for protecting patient safety.