The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HC3 Sounds Alarm About Rhysida Ransomware Group

Posted By on Aug 7, 2023

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has issued a security alert about a new ransomware group – Rhysida – which is conducting high-impact attacks across multiple industry sectors. Attacks have been conducted in North and South America, Western Europe, and Australia, with the United States, Italy, Spain, and the United Kingdom having suffered the most attacks. The primary targets appear to be in the education, government, manufacturing, and technology sectors, although the group has conducted some attacks on the healthcare and public health (HPH) sector.

Rhysida is a ransomware-as-a-service operation that recruits affiliates to conduct attacks using its ransomware variant in exchange for a percentage of any ransom payments they generate. The group was first identified in May 2023, and its ransomware variant appears to still be in the early stages of development as it lacks the advanced features seen in the ransomware variants used by more established threat groups.

Rhysida ransomware is deployed after initial access to victims’ networks has been established through phishing attacks and the exploitation of vulnerabilities in software. The Cobalt Strike attack framework is deployed on compromised systems and used to deliver the ransomware payload. The ransomware uses a 4096-bit RSA key with the ChaCha20 algorithm to encrypt files and a PDF ransom note is dropped on the encrypted drives, which demands payment in Bitcoin for the keys to decrypt data and prevent the publication of stolen data. The ransom amount is not stated in the notes. Victims are required to make contact with the threat group via TOR to negotiate payment. Rhysida was behind a recent attack on the Chilean Army and has listed 8 attacks on its data leak site to date, and published stolen data from five of those attacks.

Security researchers have yet to confirm a connection between the Rhysida ransomware-as-a-service operation and other ransomware or cybercriminal groups, although some security researchers believe there may be a link with the Vice Society group, which also primarily targets the Education sector. HC3 has shared Indicators of Compromise (IoCs) in the alert to help network defenders detect attacks and several proactive steps that healthcare organizations can take to harden their defenses and prevent attacks.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Update: A free decryptor has been developed that could help victims of Rysida ransomware attacks recover their files for free. 

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist