Three Ransomware attacks and data breaches in the healthcare industry over the last few weeks have been noteworthy. We’ve discussed the first incident that involves the BlackCat Ransomware as a Service (RaaS). Now, let’s continue with the second:the return of LockBit 3.0.

Part 3: Rhysida

Another ransomware as a service (RaaS) operation known as Rhysida is also making the rounds in the Healthcare industry and doing a lot of damage. First identified in May 2023, The Rhysida ransomware gang have predominantly deployed its ransomware variant against the health care, manufacturing, education, government, and IT sectors.

Rhysida gained significant attention in August 2023 when it conducted a large-scale ransomware attack that impacted 17 hospitals and a network of 166 outpatient clinics across the United States. This one attack on Prospect Medical Holdings involved the theft of 500,000 social security numbers, passports, driver’s licenses, corporate documents, and patient records. The attack caused the hospitals to shut down their IT networks to stop the malware spreading.

Launching phishing attacks for initial access, Rhysida affiliates then use compromised RDP and VPN accounts gain system access. Rhysida ransomware uses PowerShell to execute commands, evade defenses, modify registry keys, and download more malware to the compromised endpoint. Using CoboltStrike to achieve persistence, the affiliates infect systems with PsExec, exfiltrate data over the command and control (C2) channel – also used for lateral movement – and encrypt the endpoint’s files. This renders the data inaccessible in a double extortion play. During the operation, Rhysida affiliates delete logs and history files to hinder investigations and response efforts.

Sinking To a New Low

One more recent attack on Lurie Children’s Hospital in Chicago caring for over 239,000 patients found themselves struggling to maintain normal operations, with impacts on scheduling procedures, email, telephone, and access to medical records. The Rhysida ransomware group posted the data on their dark web extortion page and have now claimed they sold the stolen patient data for 60 Bitcoins, about $3.4 Million.

Based on the Tools, Tactics, and Procedures (TTP’s) used in many attacks, it has been speculated that the team behind Rhysida is Vice Society. Thankfully, a team of Korean Researchers found an implementation vulnerability that was then used to create a decryptor. Recent reporting from the Chicago Tribune shows that the hospital’s systems are now mostly back up and running.

Ransoming data and records from a Children’s Hospital show’s that the cybercrime community has sunk to a new low.

To learn more about the technical aspects of the threat, read VMRay’s analysis on Rhysida.