Rhysida is known for phishing attacks and abusing legitimate cybersecurity tools. He said the attack targeted Bayhealth Medical Center, which serves central and southern Delaware.
WHY IT IS IMPORTANT
By showing screenshots of stolen passports and ID cards as evidence, the Rhysida Ransomware group gave the nonprofit Bayhealth Hospital a week to pay the ransom and prevent the breach, a report Thursday in Security Affairs.
“With only 7 days left on the clock, grab your chance to bid on exclusive, unique and impressive data,” Rhysida announced on his Tor leak site on Wednesday.
“Open your wallet and be ready to buy exclusive data. We only sell to one person, no resale, you are the only owner!”
We have reached out to Bayhealth and will update the story if a statement is issued.
THE BIGGER TREND
While the group has no overt ties to other ransomware groups, the group does not target former Soviet republics or bloc countries or the Commonwealth of Independent States in Central Asia, according to an August 2023 alert from the Health Sector Cybersecurity Coordination Center.
HC3 said in the alert that in addition to social engineering attacks, the group is also exploiting known software vulnerabilities on compromised systems after initial deployment of Cobalt Strike or other frameworks similar to Black Basta. The PDF notes left by the group are written as if they are trying to provide a customer service experience.
Rhysida also claimed responsibility for the ransomware attack on Los Angeles-based Prospect Medical Holdings that disrupted care at hospitals and medical centers in Connecticut and several other states that month.
In November, the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency issued a joint cybersecurity advice indicating that the group leases tools through a profit sharing model.
ON THE RECORD
“Rhysida actors are believed to have engaged in ‘double extortion’ (T1657) – demanding ransom payments to decrypt their victims’ data and threatening to publish the sensitive exfiltrated data unless the ransom is paid,” the FBI and CISA said in their advisory.
Andrea Fox is Editor-in-Chief of Healthcare IT News.
Email address: afox@himss.org
Healthcare IT News is a publication of HIMSS Media.
The HIMSS Healthcare Cybersecurity Forum is scheduled for October 31-November 1 in Washington, DC More information and registration.