Known for spear phishing attacks and exploiting legitimate cybersecurity tools, Rhysida claims to have attacked Bayhealth Medical Center, which serves central and southern Delaware.
WHY IT MATTERS
According to a report Thursday in the journal Security Affairs, the Rhysida Ransomware group gave the nonprofit Bayhealth Hospital one week to pay the ransom and avoid a data breach by providing screenshots of stolen passports and ID cards as evidence.
“With only 7 days left, grab your chance to bid on exclusive, unique and impressive data,” Rhysida announced on her Tor leak site on Wednesday.
“Open your wallet and get ready to buy exclusive data. We only sell to one person, no resale, you will be the sole owner!”
We have reached out to Bayhealth and will update the story if new information becomes available.
THE BIGGER TREND
According to an August 2023 alert from the Healthcare Cybersecurity Coordination Center, while the group has no clear connection to other ransomware groups, it has avoided targeting former Soviet republics or countries within the bloc and the Commonwealth of Independent States in Central Asia.
In addition to social engineering attacks, the group also exploits known vulnerabilities in software on compromised systems after deploying Cobalt Strike or other frameworks, similar to Black Basta, HC3 said in its alert. The PDF notes the group left behind were written as if to provide a customer service experience.
Rhysida also claimed a ransomware attack on Prospect Medical Holdings in Los Angeles that disrupted care at hospitals and medical centers in Connecticut and several other states that month.
Then in November, the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency issued a joint cybersecurity advisory saying the group rents out tools through a revenue-sharing model.
ON THE RECORD
“Rhysida actors allegedly involved in ‘double blackmail’ [T1657] – demanding payment of a ransom to decrypt the victim’s data and threatening to release the stolen sensitive data unless the ransom is paid,” the FBI and CISA said in their announcement.
Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a publication of HIMSS Media.
The HIMSS Healthcare Cybersecurity Forum is scheduled to take place October 31 through November 1 in Washington, DC. Learn more and register.
