The threat group behind the fast-growing Rhysida ransomware-as-a-service operation has claimed credit for an Aug. 19 attack that crippled systems at Singing River Health System, one of Mississippi’s largest healthcare entities.
The attack follows one against California’s Prospect Medical Holdings in August that affected 16 hospitals and more than 160 clinics around the country. The wide scope of that incident prompted an alert from the Health Sector Cybersecurity Coordination Center to other organizations in the industry.
Crippling Attack
The attack on Singing River impacted three hospitals and some 10 clinics belonging to the system and is likely to reinforce Rhysida’s credentials as a growing threat to healthcare organizations in the US. It’s also a reminder of the surging interest in the sector from ransomware actors who, early in the COVID-19 pandemic, had piously vowed to stay away from attacking hospitals and other healthcare entities.
Sergey Shykevich, threat intelligence group manager at Check Point Software, which is tracking the Rhysida operation, says he can confirm the Rhysida group recently posted a small sample of data apparently belonging to Singing River on its leak disclosure site. The group has said it is willing to sell all the data it has from the healthcare system for 30 Bitcoin — or roughly $780,000 at today’s rates. “We sell only to one hand, no reselling you will be the only owner,” the group’s post noted.
Rhysida — named after a genus of centipede — surfaced in May and has quickly established itself as a potent threat in the ransomware space. The group initially targeted organizations in the education, manufacturing, technology, managed service provider, and government sectors. Its attack on Prospect signaled the threat group’s expansion into the healthcare sector.
Check Point first encountered Rhysida when investigating a ransomware attack on an educational institution earlier this year. The security vendor’s investigation into the threat actor’s tactics, techniques, and procedures revealed an overlap with the TTPs of Vice Society, another particularly prolific threat actor that has been targeting the education and health sectors since at least 2021.
The malware itself is a 64-bit Portable Executable Windows encryption app that, according to the Health Sector’s Cybersecurity Coordination Center, still appears to be in the early stages of development. Threat actors are distributing the malware via phishing emails and by using Cobalt Strike and other post-exploit attack tools to drop it on previously compromised systems.
Check Point says its researchers have observed Rhysida actors use a variety of tactics for lateral movement on compromised networks, including via Remote Desktop Protocol, Remote PowerShell sessions, and the PSExec remote admin tool. Like almost every other major ransomware group, Rhysida actors steal data from their victim before encrypting it. They have then used the threat of data exposure as additional leverage to try to extract money from their victims.
A Target-Rich Sector
The Rhysida operation’s expansion into the healthcare space is a reflection of how valuable the sector is for threat actors. For those with criminal intent, healthcare organizations present a veritable treasure trove of personal identity and health information that they can monetize in myriad ways. Threat actors also know that health entities are likely more inclined to negotiate their way out of an attack — by paying a ransom, for instance — to avoid disruptions that can impede their ability to deliver patient care.
“Attacks on healthcare providers have two main significant implications,” Shykevich says. “The hospital’s ability to provide basic services to its patients and [on] the patients’ sensitive data. Following such cyberattacks, the data quickly makes its way to Dark Web markets and forums.”
The attack on Singer Health, for instance, forced the healthcare entity to take all of its internal systems offline and to resort to emergency contingency plans to continue delivering patient care. Critical services like its electronic medical records platforms and access to lab results were temporarily unavailable as the healthcare system fought to recover its systems. If the organization refuses to pay a ransom, its data could end up being sold to the highest bidder.
The attack is one of hundreds of ransomware and other types of incidents on healthcare organizations this year. In the first six months of 2023 alone, the attacks exposed more than 41 million records cumulatively. Data maintained by the US Department of Health and Human Services Office for Civil Rights shows the agency is currently investigating more than 440 incidents that healthcare organizations reported in the first eight months of this year.
A global healthcare cybersecurity study that Claroty conducted earlier this year showed that healthcare technology leaders currently rank ransomware as one of their top three cyberthreats.
“Within Claroty’s Global Healthcare Security Study 2023, 61% of our 1,110 respondents noted a substantial or moderate impact to the quality of care, with another 15% acknowledging severe impacts to patient safety,” says Ty Greenhalgh, healthcare industry principal at Claroty.
Some 43% of ransomware incidents in Claroty’s healthcare cybersecurity study involved ransoms of between $100,000 and $1 million, Greenhalgh says, noting that ransomware attacks on health systems have a ripple effect.
“Hospitals adjacent to healthcare delivery organizations affected by ransomware attacks may see increases in patient census and may experience resource constraints affecting time-sensitive care for conditions such as acute stroke,” he says. “They may also cause disruptions of healthcare delivery at adjacent hospitals within a community and could be considered a regional disaster.”
For some smaller healthcare entities, ransomware can be an existential threat. Earlier this year, St. Margaret’s Health of Illinois announced its decision to cease operations permanently, at least partly because of a crippling 2021 ransomware attack.