New Ransomware Group Branches Out, Hits Multiple Hospitals, Provider Networks
Authorities are sounding the alarm about double-extortion attacks against healthcare and public health sector organizations by a relatively new ransomware-as-a-service group, Rhysida, which until recently had mainly focused on entities in other industries.
Rhysida, known for targeting the education, government, manufacturing, tech and managed services sectors, is apparently branching out with recent attacks on healthcare and public health sector organizations, warned the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center in an alert issued Friday.
The Health Information Sharing and Analysis Center also told Information Security Media Group that the Rhysida ransomware group has hit several hospitals and health provider networks over the past few days.
“We alerted the global healthcare community about Rhysida and passed along crucial information from our partners, including HC3,” said Errol Weiss, H-ISAC chief security officer.
“Organizations should be vigilant about updating, protecting and monitoring their networks to avoid becoming victims of this newest ransomware group. Health-ISAC is reminding organizations to stay up to date on patching, backup systems regularly and implement multifactor authentication.”
Paul Prudhomme, principal security analyst at security firm Rapid7, told ISMG that Rhysida engages in double extortion attacks: the group encrypts files for ransom and also threatens to disclose compromised data if victims refuse to pay.
“These data dumps are most likely to include what ransomware operators perceive to be the most sensitive data sets from a compromise, such as financial and accounting records, customer/patient data – including protected health information in healthcare incidents – and employees’ personally identifiable information or HR records,” he said.
“Rhysida’s choice of targets outside healthcare – such as those in the public sector and education – suggests a preference for sectors perceived as easier targets,” Prudhomme said. “We would expect to see more Rhysida incidents involving the healthcare industry, as its popularity as a ransomware target is also due to its perceived vulnerability to compromise and extortion.”
Rhysida, first observed on May 17 following the emergence of its victim support chat portal hosted through TOR, describes itself as a “cybersecurity team” that aims to help victims highlight potential security weaknesses and secure their networks, HHS HC3 said in its alert.
Little is known about Rhysida’s origins or country affiliations, the agency wrote. Attacks to date have included assaults against the Chilean Army, and other victims in several countries across Western Europe, North and South America, and Australia. The pattern of targets loosely aligns with other ransomware groups that avoid hacking former Soviet Republic or Eastern Bloc countries and Central Asia’s Commonwealth of Independent States, HHS HC3 said.
Deep web monitoring firm DarkFeed on Monday said Rhysida has claimed 34 victims.
Prospect Medical Holdings is among healthcare sector entities recently experiencing a cyberattack, and sources close to the investigation on Monday told ISMG that Rhysida was believed to be behind the attack.
Prospect Medical did not immediately respond to ISMG’s request for comment on whether Rhysida is a suspect in its attack. As of Monday, most of Prospect’s 17 hospitals and dozens of clinics in several states were still recovering from a security incident that hit late last week, forcing the California-based company to take IT systems, including electronic health records offline.
In its attacks, Rhysida’s malware leaves PDF notes on the affected folders, instructing the victims to contact the group via their portal and pay in Bitcoin, HHS HC3 said in its alert.
“The group drops an eponymous ransomware via phishing attacks and Cobalt Strike to breach targets’ networks and deploy their payloads,” HHS HC3 writes. Rhysida is a 64-bit Portable Executable Windows cryptographic ransomware application compiled using MINGW/GCC, the alert said. “In each sample analyzed, the application’s program name is set to Rhysida-0.1, suggesting the tool is in early stages of development.
A notable characteristic of the tool is its plain-text strings revealing registry modification commands,” HHS HC3 said, adding that the malware appears to lack “advanced features.”
HHS HC3 notes that some security researchers assert that there is might be a relationship between Rhysida threat actors and the Russian RaaS group, Vice Society, which mainly targets small to midsized entities in the educational and healthcare sector.
“If there is indeed a linkage between both groups, then it is only a matter of time before Rhysida could begin to look at the healthcare sector as a viable target,” HHS HC3 writes.
But not everyone agrees that Rhysida and Vice Society are affiliated.
“Rhysida is the latest in a long line of ransomware to be used in attacks on the healthcare sector,” said Brett Callow, threat analyst at security firm Emsisoft.
“The code is amateurish, and I’m not aware of any evidence to suggest that the operation is a rebrand of Vice Society or in any way linked to them. In fact, that seems rather unlikely,” he told Information Security Media Group.
Still, if there is a tie between the two groups, those developments are disturbing, H-ISAC’s Weiss said.
“When we see groups like Vice Society attacking hospitals with ransomware and disrupting critical life services, it just serves as a reminder that these cyber criminals don’t care who they victimize as long as they can make a buck,” he said. “Like anyone connected to the internet, those in healthcare are a potential target.”