Recent Rhysida attacks show focus on healthcare by ransomware actors

The threat group behind the fast-growing Rhysida ransomware-as-a-service operation has claimed credit for an Aug. 19 attack that crippled systems at Singing River Health System, one of Mississippi’s largest healthcare entities.

The attack follows one against California’s Prospect Medical Holdings in August that affected 16 hospitals and more than 160 clinics around the country. The wide scope of that incident prompted an alert from the Health Sector Cybersecurity Coordination Center to other organizations in the industry.

Crippling Attack

The attack on Singing River impacted three hospitals and some 10 clinics belonging to the system and is likely to reinforce Rhysida’s credentials as a growing threat to healthcare organizations in the US. It’s also a reminder of the surging interest in the sector from ransomware actors who, early in the COVID-19 pandemic, had piously vowed to stay away from attacking hospitals and other healthcare entities.

Sergey Shykevich, threat intelligence group manager at Check Point Software, which is tracking the Rhysida operation, says he can confirm the Rhysida group recently posted a small sample of data apparently belonging to Singing River on its leak disclosure site. The group has said it is willing to sell all the data it has from the healthcare system for 30 Bitcoin — or roughly $780,000 at today’s rates. “We sell only to one hand, no reselling you will be the only owner,” the group’s post noted.

Rhysida — named after a genus of centipede — surfaced in May and has quickly established itself as a potent threat in the ransomware space. The group initially targeted organizations in the education, manufacturing, technology, managed service provider, and government sectors. Its attack on Prospect signaled the threat group’s expansion into the healthcare sector.

Check Point first encountered Rhysida when investigating a ransomware attack on an educational institution earlier this year. The security vendor’s investigation into the threat actor’s tactics, techniques, and procedures revealed an overlap with the TTPs of Vice Society, another particularly prolific threat actor that has been targeting the education and health sectors since at least 2021.

The malware itself is a 64-bit Portable Executable Windows encryption app that, according to the Health Sector’s Cybersecurity Coordination Center, still appears to be in the early stages of development. Threat actors are distributing the malware via phishing emails and by using Cobalt Strike and other post-exploit attack tools to drop it on previously compromised systems.

Check Point says its researchers have observed Rhysida actors use a variety of tactics for lateral movement on compromised networks, including via Remote Desktop Protocol, Remote PowerShell sessions, and the PSExec remote admin tool. Like almost every other major ransomware group, Rhysida actors steal data from their victim before encrypting it. They have then used the threat of data exposure as additional leverage to try to extract money from their victims.

A Target-Rich Sector

The Rhysida operation’s expansion into the healthcare space is a reflection of how valuable the sector is for threat actors. For those with criminal intent, healthcare organizations present a veritable treasure trove of personal identity and health information that they can monetize in myriad ways. Threat actors also know that health entities are likely more inclined to negotiate their way out of an attack — by paying a ransom, for instance — to avoid disruptions that can impede their ability to deliver patient care.

To read the complete article, visit Dark Reading.