In the wake of a series of healthcare sector breaches, the Rhysida ransomware operation has risen to prominence, prompting government agencies and cybersecurity entities to closely monitor its activities.
Following a security advisory by the U.S. Department of Health and Human Services (HHS), multiple security companies have issued comprehensive reports on Rhysida, each delving into distinct facets of the threat group's operations.
Rhysida initially garnered attention in June for leaking pilfered data from the Chilean Army (Ejército de Chile) on its data leak platform.
An early analysis by SentinelOne revealed that the Rhysida encryptor was in its fledgling stages, lacking conventional features like persistence mechanisms, Volume Shadow Copy wiping, and process termination.
The ransom note employed by Rhysida reads, "This is an automated alert from cybersecurity team Rhysida," revealing that the victim's digital ecosystem has been compromised, leading to the theft of confidential data.
In contrast to certain ransomware operations that disclaim targeting healthcare organizations, Rhysida takes a divergent approach. The ransom note lists an Australian healthcare institution, granting them a week to remit the ransom before exposing the stolen data.
The U.S. HHS bulletin warned that despite Rhysida's use of basic tactics, the scale of its operations has grown alarmingly, with a heightened focus on healthcare and the public sector.
Trend Micro's report spotlights Rhysida's prevalent attack chain, emphasizing the utilization of phishing emails for initial access, followed by Cobalt Strike and PowerShell scripts, culminating in the deployment of the locker.
Interestingly, Rhysida's operators deploy external scripts to achieve tasks typically handled by ransomware encryptors, showcasing active development. Cisco Talos confirms that Rhysida's most recent locker iteration deploys a 4096-bit RSA key and the ChaCha20 algorithm for encryption, excluding specific directories and filetypes.
CheckPoint's report establishes a connection between Rhysida and the defunct Vice Society ransomware operation, based on victim publishing timelines and targeting patterns. Jess Parnell, VP of Security Operations, Centripetal weighed in on the threat of Rhysida and what healthcare organizations can do to protect themselves:
"It’s not surprising that Rhysida is targeting the healthcare sector, which holds valuable patient data and faces pressure to pay and restore lifesaving services quickly. In order to protect against ransomware attacks, healthcare operators should implement the basics of good cyber defense - adopt least privileged access to sensitive information, train employees to identify phishing and other social engineering attacks, and keep all software patches up to date.
In addition, healthcare organizations should implement a level of proactive cyber intelligence that shields against the tactics and techniques of Rhysida and other known threats. This makes existing network inspection solutions 100x more efficient while also helping overcome the ongoing cybersecurity skills gap.”