The healthcare and public health (HPH) sector has been warned about a new ransomware-as-a-service (RaaS) group – Rhysida – that has been active since at least May 2023. According to the Health Sector Cybersecurity Coordination Center (HC3), the ransomware used in the attacks lacks advanced features and is thought to be in the early stages of development; however, it has already been successfully used in several attacks in Europe, Australia, and North and South America. While the group is thought to target the education, government, and manufacturing sectors, some healthcare organizations have been attacked. The group has only been in operation for a short time but has already demonstrated it poses a significant threat.
Relatively little is known about the group, such as its country of origin, but like many other ransomware groups, it does not conduct attacks in the former Soviet Republic and bloc countries in Eastern Europe, nor countries in Central Asia’s Commonwealth of Independent States. The majority of the attacks conducted by the group to date have been in the United States, United Kingdom, Italy, and Spain. Security researchers believe there is a relationship between Rhysida and the Vice Society ransomware group, which is known to target the healthcare sector.
The group exploits known vulnerabilities in software and operating systems and uses phishing for gaining initial access to victim networks. The group has been observed deploying Cobalt Strike and other attack frameworks, along with various legitimate tools for lateral movement and data exfiltration. The group engages in double extortion tactics, where data of value is identified and exfiltrated prior to file encryption. Ransom demands are issued, and payment is required to obtain the keys to decrypt data and prevent the release of stolen data on the group’s data leak site. The group has already demonstrated that it is willing to follow through on its threats and has already published the data of 5 organizations that failed to pay the ransom.
Ransomware attacks on healthcare organizations can cause considerable disruption to operations and put patient safety at risk. It is therefore important for healthcare organizations to ensure they implement mitigations and harden their security defenses to defend against attacks. Since phishing is a known Rhysida ransomware attack vector, healthcare organizations should ensure they provide phishing awareness training to all employees to help them identify and avoid phishing attempts.
HC3 recommends virtual patching to provide an immediate layer of protection against vulnerabilities the threat actors may attempt to exploit, especially when it is not possible to apply patches immediately or when vendors have yet to release patches to fix known flaws. Endpoint security solutions should be implemented that continuously scan for all entry points in a network, monitor network activity for suspicious behavior, and analyzes all incoming data. Immutable backups that are resistant to modification and deletion should also be utilized to ensure that data can be recovered in the event of an attack.