Recent Rhysida Attacks Show Focus on Healthcare by Ransomware Actors

  /     /     /  
Publicated : 23/11/2024   Category : security


Recent Rhysida Attacks Show Focus on Healthcare by Ransomware Actors


The operators of the Rhysida ransomware-as-a-service have claimed credit for a crippling attack on Mississippis Singing River health system.



The threat group behind the fast-growing Rhysida ransomware-as-a-service operation has claimed credit for an Aug. 19 attack that crippled systems at Singing River Health System, one of Mississippis largest healthcare entities.
The attack follows one against Californias Prospect Medical Holdings in August that affected 16 hospitals and more than 160 clinics around the country. The wide scope of that incident prompted an
alert from the Health Sector Cybersecurity Coordination Center
to other organizations in the industry.
The attack on Singing River impacted three hospitals and some 10 clinics belonging to the system and is likely to reinforce Rhysidas credentials as a growing threat to healthcare organizations in the US. Its also a reminder of the surging interest in the sector from ransomware actors who, early in the COVID-19 pandemic, had piously vowed to stay away from attacking hospitals and other healthcare entities.
Sergey Shykevich, threat intelligence group manager at Check Point Software, which is tracking the Rhysida operation, says he can confirm the Rhysida group recently posted a small sample of data apparently belonging to Singing River on its leak disclosure site. The group has said it is willing to sell all the data it has from the healthcare system for 30 Bitcoin — or roughly $780,000 at todays rates. We sell only to one hand, no reselling you will be the only owner, the groups post noted.
Rhysida — named after a genus of centipede — surfaced in May and has quickly established itself as a potent threat in the ransomware space. The group initially targeted organizations in the education, manufacturing, technology, managed service provider, and government sectors. Its attack on Prospect signaled the threat groups expansion into the healthcare sector.
Check Point first encountered Rhysida when investigating a ransomware attack on an educational institution earlier this year. The
security vendors investigation
into the threat actors tactics, techniques, and procedures revealed an overlap with the TTPs of
Vice Society
, another particularly prolific threat actor that has been targeting the education and health sectors since at least 2021.
The malware itself is a 64-bit Portable Executable Windows encryption app that, according to the Health Sectors Cybersecurity Coordination Center, still appears to be in the early stages of development. Threat actors are distributing the malware via phishing emails and by using Cobalt Strike and other post-exploit attack tools to drop it on previously compromised systems.
Check Point says its researchers have observed Rhysida actors use a variety of tactics for lateral movement on compromised networks, including via Remote Desktop Protocol, Remote PowerShell sessions, and the PSExec remote admin tool. Like almost every other major ransomware group, Rhysida actors steal data from their victim before encrypting it. They have then used the threat of data exposure as additional leverage to try to extract money from their victims.
The Rhysida operations expansion into the healthcare space is a reflection of how valuable the sector is for threat actors. For those with criminal intent, healthcare organizations present a veritable treasure trove of personal identity and health information that they can monetize in myriad ways. Threat actors also know that health entities are likely more inclined to negotiate their way out of an attack — by paying a ransom, for instance — to avoid disruptions that can impede their ability to deliver patient care.
Attacks on healthcare providers have two main significant implications, Shykevich says. The hospitals ability to provide basic services to its patients and [on] the patients sensitive data. Following such cyberattacks, the data quickly makes its way to Dark Web markets and forums.
The attack on Singer Health, for instance, forced the healthcare entity to take all of its internal systems offline and to resort to emergency contingency plans to continue delivering patient care. Critical services like its
electronic medical records platforms
and access to lab results were temporarily unavailable as the healthcare system fought to recover its systems. If the organization refuses to pay a ransom, its data could end up being sold to the highest bidder.
The attack is one of hundreds of ransomware and other types of incidents on healthcare organizations this year. In the first six months of 2023 alone, the attacks exposed more than
41 million records
cumulatively. Data maintained by the US Department of Health and Human Services Office for Civil Rights shows the agency is currently investigating
more than 440 incidents
that healthcare organizations reported in the first eight months of this year.
A
global healthcare cybersecurity study
that Claroty conducted earlier this year showed that healthcare technology leaders currently rank ransomware as one of their top three cyberthreats.
Within Clarotys Global Healthcare Security Study 2023, 61% of our 1,110 respondents noted a substantial or moderate impact to the quality of care, with another 15% acknowledging severe impacts to patient safety, says Ty Greenhalgh, healthcare industry principal at Claroty.
Some 43% of ransomware incidents in Clarotys healthcare cybersecurity study involved ransoms of between $100,000 and $1 million, Greenhalgh says, noting that ransomware attacks on health systems have a ripple effect.
Hospitals adjacent to healthcare delivery organizations affected by ransomware attacks may see increases in patient census and may experience resource constraints affecting time-sensitive care for conditions such as acute stroke, he says. They may also cause disruptions of healthcare delivery at adjacent hospitals within a community and could be considered a regional disaster.
For some smaller healthcare entities,
ransomware can be an existential threat
. Earlier this year, St. Margarets Health of Illinois announced its decision to cease operations permanently, at least partly because of a crippling 2021 ransomware attack.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Recent Rhysida Attacks Show Focus on Healthcare by Ransomware Actors