HC3 Sounds Alarm About Rhysida Ransomware Group
The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has issued a security alert about a new ransomware group – Rhysida – which is conducting high-impact attacks across multiple industry sectors. Attacks have been conducted in North and South America, Western Europe, and Australia, with the United States, Italy, Spain, and the United Kingdom having suffered the most attacks. The primary targets appear to be in the education, government, manufacturing, and technology sectors, although the group has conducted some attacks on the healthcare and public health (HPH) sector.
Rhysida is a ransomware-as-a-service operation that recruits affiliates to conduct attacks using its ransomware variant in exchange for a percentage of any ransom payments they generate. The group was first identified in May 2023, and its ransomware variant appears to still be in the early stages of development as it lacks the advanced features seen in the ransomware variants used by more established threat groups.
Rhysida ransomware is deployed after initial access to victims’ networks has been established through phishing attacks and the exploitation of vulnerabilities in software. The Cobalt Strike attack framework is deployed on compromised systems and used to deliver the ransomware payload. The ransomware uses a 4096-bit RSA key with the ChaCha20 algorithm to encrypt files and a PDF ransom note is dropped on the encrypted drives, which demands payment in Bitcoin for the keys to decrypt data and prevent the publication of stolen data. The ransom amount is not stated in the notes. Victims are required to make contact with the threat group via TOR to negotiate payment. Rhysida was behind a recent attack on the Chilean Army and has listed 8 attacks on its data leak site to date, and published stolen data from five of those attacks.
Security researchers have yet to confirm a connection between the Rhysida ransomware-as-a-service operation and other ransomware or cybercriminal groups, although some security researchers believe there may be a link with the Vice Society group, which also primarily targets the Education sector. HC3 has shared Indicators of Compromise (IoCs) in the alert to help network defenders detect attacks and several proactive steps that healthcare organizations can take to harden their defenses and prevent attacks.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Update: A free decryptor has been developed that could help victims of Rysida ransomware attacks recover their files for free.