The Rhysida ransomware group has targeted one of the largest public health insurance agencies for the elderly in Latin America, the National Institute of Social Services for Retirees and Pensioners (PAMI). The cyber attack was carried out by the ransomware group, who posted about it on their dark web portal with a deadline of six days. Screenshots of the attack were tweeted by Threat Intelligence platform Falcon Feeds.
The targeted website was inaccessible at the time of writing, indicating the success of the attack. The ransomware group demanded 25 BTC in exchange for the stolen data from the PAMI data breach. Samples of the exfiltrated data, including identity cards with people’s photos, were posted as proof of the breach.
In a message on their dark web portal, the Rhysida group threatened to leak the stolen data and called for buyers on the dark web to purchase it. The group urged potential buyers to “seize the opportunity to bid on exclusive, unique, and impressive data.”
PAMI is a public health insurance agency in Argentina, catering to senior citizens and veterans of the Falklands War. It operates under the Ministry of Health and provides free medicines to 650,000 pensioners and retirees. With over 4 million enrollees, PAMI serves a significant portion of the elderly population in Latin America.
The Rhysida ransomware group, discovered in May 2023, is known for using ChaCha20 encryption in its payload. They primarily target their victims through phishing emails and deploy their payload using methods like Cobalt Strike. The group’s ransom notes are typically written in PDF documents and saved in the affected folders of the targeted system.
This attack on PAMI is not the first instance of the Rhysida ransomware group targeting the healthcare sector. They have previously carried out cyber attacks on organizations like Ejercito de Chile and Prospect Medical Holdings. In both cases, they leaked data from the breaches on their dark web portal. The cyber attack on Prospect Medical Holdings resulted in a system outage that impacted all of its facilities and clinics across the U.S.
The motivations behind the Rhysida ransomware group’s targeting of healthcare organizations are unclear. However, the healthcare sector is often a lucrative target for cyber criminals due to the sensitive nature of the data they hold. These attacks highlight the importance of robust cybersecurity measures in the healthcare industry to protect patient data and prevent disruptions to critical healthcare services.
The Ministry of Health of Argentina, the parent agency of PAMI, has been contacted for comments on the hacker claims. This report will be updated based on their response.
It is important to note that the information provided in this report is based on internal and external research obtained through various means. The accuracy and consequences of using this information are the responsibility of the users, and The Cyber Express assumes no liability for any inaccuracies or consequences resulting from its use.
Related:
– The cyber attack on Ejercito de Chile by the Rhysida ransomware group
– Prospect Medical Holdings cyber attack suspected to be by Rhysida