HC3 warns of the Rhysida ransomware 'Cybersecurity Team'
Photograph: alexsl/Getty Images
The Health Sector Cybersecurity Coordination Center released an alert this month warning the healthcare sector about a new ransomware-as-a-service group known as Rhysida and advised all healthcare organizations to take action now to avoid data exfiltration.
Increased interest in healthcare attacks
The Rhysida Group emerged in May on the dark web with a victim support chat portal, according to an Aug. 4 HC3 alert.
A reference to the Rhysida genus of centipede, the group is said to be responsible for widespread cyberattacks on victims like the Chilean Army and a number of educational institutions. Victims in Western Europe, North and South America, and Australia are primarily in education, government, manufacturing, technology and managed service provider sectors, HC3 said.
However, there have been "recent attacks against the healthcare and public health sector," according to the agency.
Online hearsay said the ransomware attack on Prospect Medical Holdings of Los Angeles that disrupted care at hospitals and medical centers in Connecticut late last week could be a Rhysida attack.
Other hospitals and clinics in Pennsylvania, Rhode Island and Texas may also have been affected by that attack.
HC3 said the only known affiliation the Rhysida Group may have is with Vice Society, another group that the Cybersecurity and Infrastructure Security Agency said targets the education sector.
"Although the national origin of this group is unknown, it is noted that the group primarily targets organizations in Western nations," said John Riggi, the American Hospital Association's national advisor for cybersecurity and risk, in a statement Friday on the AHA website.
A 'customer service' experience
According to Ransomlook.io, Rhysida's ransom note reads as if it is providing customer service support and sounds like it could have been written by an AI program such as ChatGPT:
Rest assured, our team is committed to guiding you through this process. The journey to resolution begins with the use of the unique key. Together, we can restore the security of your digital environment. Best regards.
This past month, a joint alert from U.S Health and Human Services and HC3 addressed some of the ways generative artificial intelligence and large language models may be helping cyber actors hone their craft – including correcting grammar and sentence structure.
The group's dark web victim blog also reportedly offers media information, including recent coverage, and contact information should anyone wish to reach out, said HC3. But despite appearing to be helpful, the group's threats to expose stolen data are serious.
"Since June, the threat actor has already added at least eight victims to its dark web data leak site and has published all stolen files for five of them," the agency said.
The alert notes that Rhysida exploits known vulnerabilities to gain access during encryption and uses a 4096-bit RSA key with the ChaCha20 algorithm. After encryption details are established, Rhysida enumerates files and folders connected to the system and then calls PowerShell to delete the binary after encryption has been completed.
"It is strongly recommended that hospitals and health systems prioritize this alert, enter the malware signatures into network defenses and implement risk mitigation procedures as soon as possible," Riggi added.
The HIMSS 2023 Healthcare Cybersecurity Forum explores how the industry is fortifying its defenses today and preparing strategies for the future. It's scheduled for Sept. 7-8 in Boston. Learn more, review the schedule and register on HIMSS.org.