HC3 has alerted healthcare organizations to the Rhysida ransomware group, advising immediate action to prevent data breaches. This group, known for mimicking customer support in ransom notes, may use phishing tactics and deploy Cobalt Strike or similar tools. Rhysida, associated with cyberattacks on various sectors globally, is suspected of healthcare disruptions. The ransom note adopts a helpful tone, and AI language generation might be involved. Despite appearances, the group threatens data exposure. HC3 urges healthcare entities to prioritize security measures. The upcoming HIMSS 2023 Healthcare Cybersecurity Forum in Boston explores industry defense strategies.
The Health Sector Cybersecurity Coordination Center (HC3) has issued a cautionary alert regarding a new ransomware syndicate referred to as “Rhysida,” urging healthcare entities to promptly take preventive measures against potential data breaches. The group is recognized for its ransom note that cleverly mimics a typical customer support ticket. Their modus operandi might entail utilizing phishing tactics to infiltrate health system networks or distributing malicious payloads across compromised systems. They often deploy tools like Cobalt Strike or similar frameworks as initial steps.
The emergence of the Rhysida Group on the dark web, featuring a victim support chat interface, was reported in May. HC3, in an alert dated August 4th, disclosed that the group’s name is a nod to the Rhysida genus of centipedes. Their operations have been responsible for extensive cyber assaults on various targets, including the Chilean Army and numerous educational institutions. Notably, their victims are largely concentrated in Western Europe, North and South America, and Australia, spanning sectors like education, government, manufacturing, technology, and managed service providers. HC3 also highlighted recent instances of attacks targeting healthcare and public health sectors.
Suspicion has arisen regarding the Rhysida Group’s involvement in a ransomware attack on Prospect Medical Holdings in Los Angeles, which disrupted healthcare services in Connecticut. Similar attacks might have affected medical facilities in Pennsylvania, Rhode Island, and Texas.
HC3 identified a potential affiliation between the Rhysida Group and Vice Society, a cyber collective known for targeting the education sector. John Riggi, the American Hospital Association’s national advisor for cybersecurity and risk, noted that while the group’s origin remains uncertain, its focus appears to be primarily on organizations in Western nations.
Rhysida’s ransom note, as per Ransomlook.io, adopts a tone reminiscent of customer service support, leading some to speculate that it could be generated by AI language models like ChatGPT. The note projects a cooperative approach toward resolving the situation while emphasizing the restoration of digital security.
A joint alert from the U.S. Health and Human Services and HC3 recently highlighted the potential use of generative AI and large language models in refining cyber attacks, including aspects such as grammar correction and sentence structure enhancement.
Despite the apparent helpfulness projected through its dark web victim blog, the Rhysida Group is resolute in its threats to expose purloined data. HC3 revealed that the group has already added eight victims to its data leak site, publishing stolen files for five of them since June.
The alert delineates Rhysida’s exploitation of known vulnerabilities for unauthorized access during encryption, utilizing a 4096-bit RSA key combined with the ChaCha20 algorithm. After encryption, Rhysida conducts a comprehensive scan of files and directories linked to the system, followed by a PowerShell command to delete the binary post-encryption.
John Riggi recommended healthcare establishments give high priority to this alert, incorporating malware signatures into network defenses and adopting risk mitigation measures without delay.
The upcoming HIMSS 2023 Healthcare Cybersecurity Forum, scheduled for September 7-8 in Boston, will delve into the strategies and actions healthcare enterprises are undertaking to bolster their cybersecurity protocols in the face of evolving threats. Detailed information and registration can be accessed on HIMSS.org.
