The Rhysida ransomware-as-a-service operation has recently claimed responsibility for a devastating attack on Singing River Health System, one of the largest healthcare entities in Mississippi. The attack on August 19th impacted three hospitals and ten clinics within the system, showcasing the growing threat that Rhysida poses to healthcare organizations in the United States.
The attack on Singing River Health System is just one example of the increasing interest from ransomware actors in targeting hospitals and other healthcare entities. Initially, these threat groups had refrained from attacking healthcare organizations, due to the COVID-19 pandemic. However, it seems that the lure of valuable personal identity and health information has become too enticing for them to resist.
Sergey Shykevich, the threat intelligence group manager at Check Point Software, which has been tracking the Rhysida operation, confirms that the group recently posted a small sample of data from Singing River on its leak disclosure site. The group is now offering to sell all the data they have obtained from the healthcare system for a sum of 30 Bitcoin, which amounts to around $780,000 at current rates. It is important to note that the Rhysida group insists on selling the data to only one buyer, preventing any chance of reselling the stolen information.
Rhysida, named after a genus of centipede, emerged in May and has quickly become a potent force in the ransomware landscape. Initially, the group focused its attacks on organizations in the education, manufacturing, technology, managed service provider, and government sectors. However, the attack on Prospect Medical Holdings in August marked their expansion into the healthcare sector.
Check Point first encountered Rhysida during their investigation into a ransomware attack on an educational institution earlier this year. The security vendor’s examination of the threat actor’s tactics, techniques, and procedures revealed an overlap with another prolific threat actor known as Vice Society. Vice Society has been targeting the education and health sectors since at least 2021, and there are clear similarities between their methods and those used by Rhysida.
The malware used by Rhysida is a 64-bit Portable Executable Windows encryption app that is still in the early stages of development, according to the Health Sector’s Cybersecurity Coordination Center. The threat actors distribute the malware through phishing emails and by utilizing tools like Cobalt Strike and other post-exploit attack tools to drop it onto compromised systems.
Once the malware infects a network, Rhysida actors employ various tactics for lateral movement, including Remote Desktop Protocol, Remote PowerShell sessions, and the PSExec remote admin tool. Like other major ransomware groups, Rhysida steals data from its victims before encrypting it. They then use the threat of exposing the stolen data as an additional bargaining chip to extract money from their victims.
The expansion of the Rhysida operation into the healthcare sector underscores the value that threat actors see in targeting this industry. Healthcare organizations possess vast amounts of personal identity and health information, which can be monetized in various ways. Additionally, these entities are often more inclined to negotiate, such as paying a ransom, to avoid disruptions that may hinder their ability to deliver patient care.
The attack on Singing River Health System forced the organization to take all its internal systems offline and rely on emergency contingency plans to continue providing patient care. Essential services like electronic medical records platforms and access to lab results were temporarily unavailable during the recovery process. If the organization refuses to pay the ransom, the stolen data could be sold to the highest bidder, further increasing the potential harm caused by the attack.
Unfortunately, the attack on Singing River is just one of many ransomware incidents that have targeted healthcare organizations this year. In the first six months of 2023 alone, these attacks exposed over 41 million records. The US Department of Health and Human Services Office for Civil Rights is currently investigating more than 440 incidents reported by healthcare organizations in the first eight months of this year.
A global healthcare cybersecurity study conducted by Claroty earlier this year revealed that healthcare technology leaders consider ransomware as one of their top three cyber threats. The study showed that 61% of respondents noted a substantial or moderate impact on the quality of care due to ransomware attacks, with another 15% acknowledging severe impacts on patient safety.
Ransomware attacks on health systems can have wide-ranging effects, not only on the targeted organization but also on neighboring hospitals within a community. These attacks can strain resources and impact the delivery of time-sensitive care, potentially causing disruptions that extend beyond a single institution.
In some cases, ransomware can be an existential threat to smaller healthcare entities. St. Margaret’s Health of Illinois, for example, recently announced its permanent closure due, at least in part, to a crippling ransomware attack in 2021.
As the threat landscape continues to evolve, healthcare organizations must remain vigilant and prioritize cybersecurity measures to protect both patient data and the continuity of care. Collaborative efforts between government agencies, cybersecurity vendors, and healthcare entities can help identify and mitigate potential threats, ensuring the stability and security of the healthcare sector.