Health IT, Health Tech

HHS Warns Providers About a New Cybercriminal Gang Attacking the Healthcare Sector

HHS issued an alert warning providers about Rhysida, a ransomware gang that recently begun launching attacks on healthcare organizations. The group deploys its ransomware primarily through phishing attacks or the exploitation of legitimate cybersecurity tools.

The Health Sector Cybersecurity Coordination Center (HC3), which was created by the Department of Health and Human Services, recently warned healthcare providers about a cybercriminal gang called Rhysida.

The group emerged in May — since then, its attacks have mainly been in the education, government, manufacturing, technology and managed service provider sectors. However, the gang has recently begun to launch cyberattacks targeting healthcare organizations, according to HC3’s alert. 

Even though Rhysida is “still in early stages of development,” it has already unleashed ransomware attacks across Western Europe, North and South America, and Australia, the alert said. The group deploys its ransomware primarily through phishing attacks — or the exploitation of Cobalt Strike or similar command-and-control frameworks.

Cobalt Strike is a legitimate cybersecurity product that organizations use for penetration testing. Other cybercriminal gangs, such as Russian groups Black Basta and FIN7, have abused Cobalt Strike in the past to gain network access, HC3 said.

Once Rhysida deploys its malicious software across its victim’s network, the group threatens to publicly distribute the exfiltrated data unless a ransom is paid. The gang also leaves PDF notes on the affected folders, with instructions on how to contact the group via its portal and pay the ransom in Bitcoin.

The group’s logo suggests that its name is a reference to the Rhysida genus of centipede, but little is known about the group’s origins or national affiliation, according to the alert. However, Rhysida has loosely aligned itself with other ransomware groups by avoiding targeting former Soviet Republic or bloc countries and Central Asia’s Commonwealth of Independent States, HC3 said.

Some security researchers also believe there could be a relationship between Rhysida and a cybercriminal gang called Vice Society. This is because both groups mainly target the education sector — with 38% of Vice Society’s attacks and 30% of Rhysida’s attacks victimizing this field.

“Of note, Vice Society mainly targets both educational and healthcare institutions, preferring to attack small-to-medium organizations. If there is indeed a linkage between both groups, then it is only a matter of time before Rhysida could begin to look at the healthcare sector as a viable target,” HC3’s alert warned.

To protect against a potential Rhysida ransomware attack, HC3 advised healthcare organizations to conduct phishing awareness training, segment their networks and use intrusion detection systems. The alert also recommended that healthcare entities virtually patch any software vulnerabilities that hackers have been known to exploit.

“Rhysida exploits known vulnerabilities in software to gain access to systems. Virtual patching can help by providing an immediate layer of protection against known vulnerabilities that the ransomware might exploit. This is especially important when a vendor-supplied patch is not immediately available or cannot be applied right away due to testing requirements,” HC3 said.

Ransomware can have devastating effects on hospitals, as evidenced by last week’s attack on Prospect Medical Holdings. Hackers launched the cyberattack last Thursday, but Prospect-owned hospitals across multiple states are still working to get their systems back online as of Tuesday afternoon.

Photo: Traitov, Getty Images

Shares1
Shares1