The menace group behind the fast-growing Rhysida ransomware-as-a-service operation has claimed credit score for an Aug. 19 assault that crippled methods at Singing River Well being System, one in every of Mississippi’s largest healthcare entities.
The assault follows one in opposition to California’s Prospect Medical Holdings in August that affected 16 hospitals and greater than 160 clinics across the nation. The vast scope of that incident prompted an alert from the Well being Sector Cybersecurity Coordination Heart to different organizations within the trade.
Crippling Assault
The assault on Singing River impacted three hospitals and a few 10 clinics belonging to the system and is more likely to reinforce Rhysida’s credentials as a rising menace to healthcare organizations within the US. It is also a reminder of the surging curiosity within the sector from ransomware actors who, early within the COVID-19 pandemic, had piously vowed to avoid attacking hospitals and different healthcare entities.
Sergey Shykevich, menace intelligence group supervisor at Examine Level Software program, which is monitoring the Rhysida operation, says he can affirm the Rhysida group not too long ago posted a small pattern of knowledge apparently belonging to Singing River on its leak disclosure website. The group has mentioned it’s keen to promote all the info it has from the healthcare system for 30 Bitcoin — or roughly $780,000 at at this time’s charges. “We promote solely to 1 hand, no reselling you may be the one proprietor,” the group’s submit famous.
Rhysida — named after a genus of centipede — surfaced in Could and has rapidly established itself as a potent menace within the ransomware house. The group initially focused organizations within the schooling, manufacturing, know-how, managed service supplier, and authorities sectors. Its assault on Prospect signaled the menace group’s growth into the healthcare sector.
Examine Level first encountered Rhysida when investigating a ransomware assault on an academic establishment earlier this 12 months. The safety vendor’s investigation into the menace actor’s ways, methods, and procedures revealed an overlap with the TTPs of Vice Society, one other notably prolific menace actor that has been focusing on the schooling and well being sectors since a minimum of 2021.
The malware itself is a 64-bit Transportable Executable Home windows encryption app that, in line with the Well being Sector’s Cybersecurity Coordination Heart, nonetheless seems to be within the early phases of growth. Risk actors are distributing the malware through phishing emails and by utilizing Cobalt Strike and different post-exploit assault instruments to drop it on beforehand compromised methods.
Examine Level says its researchers have noticed Rhysida actors use quite a lot of ways for lateral motion on compromised networks, together with through Distant Desktop Protocol, Distant PowerShell periods, and the PSExec distant admin software. Like virtually each different main ransomware group, Rhysida actors steal knowledge from their sufferer earlier than encrypting it. They’ve then used the specter of knowledge publicity as extra leverage to attempt to extract cash from their victims.
A Goal-Wealthy Sector
The Rhysida operation’s growth into the healthcare house is a mirrored image of how helpful the sector is for menace actors. For these with prison intent, healthcare organizations current a veritable treasure trove of private id and well being data that they will monetize in myriad methods. Risk actors additionally know that well being entities are probably extra inclined to barter their means out of an assault — by paying a ransom, as an illustration — to keep away from disruptions that may impede their means to ship affected person care.
“Assaults on healthcare suppliers have two major important implications,” Shykevich says. “The hospital’s means to supply fundamental providers to its sufferers and [on] the sufferers’ delicate knowledge. Following such cyberattacks, the info rapidly makes its strategy to Darkish Net markets and boards.”
The assault on Singer Well being, as an illustration, compelled the healthcare entity to take all of its inside methods offline and to resort to emergency contingency plans to proceed delivering affected person care. Important providers like its digital medical data platforms and entry to lab outcomes have been briefly unavailable because the healthcare system fought to get well its methods. If the group refuses to pay a ransom, its knowledge might find yourself being offered to the best bidder.
The assault is one in every of a whole lot of ransomware and different sorts of incidents on healthcare organizations this 12 months. Within the first six months of 2023 alone, the assaults uncovered greater than 41 million data cumulatively. Information maintained by the US Division of Well being and Human Companies Workplace for Civil Rights exhibits the company is presently investigating greater than 440 incidents that healthcare organizations reported within the first eight months of this 12 months.
A world healthcare cybersecurity examine that Claroty carried out earlier this 12 months confirmed that healthcare know-how leaders presently rank ransomware as one in every of their prime three cyberthreats.
“Inside Claroty’s International Healthcare Safety Examine 2023, 61% of our 1,110 respondents famous a considerable or reasonable affect to the standard of care, with one other 15% acknowledging extreme impacts to affected person security,” says Ty Greenhalgh, healthcare trade principal at Claroty.
Some 43% of ransomware incidents in Claroty’s healthcare cybersecurity examine concerned ransoms of between $100,000 and $1 million, Greenhalgh says, noting that ransomware assaults on well being methods have a ripple impact.
“Hospitals adjoining to healthcare supply organizations affected by ransomware assaults may even see will increase in affected person census and should expertise useful resource constraints affecting time-sensitive look after situations corresponding to acute stroke,” he says. “They could additionally trigger disruptions of healthcare supply at adjoining hospitals inside a group and may very well be thought of a regional catastrophe.”
For some smaller healthcare entities, ransomware could be an existential menace. Earlier this 12 months, St. Margaret’s Well being of Illinois introduced its determination to stop operations completely, a minimum of partly due to a crippling 2021 ransomware assault.
