Heimdal
article featured image

Contents:

The ransomware operation known as Rhysida has rapidly gained notoriety, especially following a series of attacks on healthcare organizations. This surge has led to heightened vigilance from government agencies and cybersecurity firms, prompting them to closely monitor Rhysida’s activities.

Growing Influence

The spotlight on Rhysida intensified after the U.S. Department of Health and Human Services (HHS) issued a security bulletin alerting the public to the threat.

The ransomware-as-a-service (RaaS) group that has emerged in May 2023, has first grabbed attention in a month later, when it leaked sensitive documents pilfered from the Chilean Army. Initial analysis by SentinelOne suggested that Rhysida’s ransomware was in early stages of development, lacking standard features seen in most strains, such as persistence mechanisms and Volume Shadow Copy wiping.

Global Reach

While its primary targets included education, government, manufacturing, technology, and managed service provider sectors, recent attacks have expanded to the Healthcare and Public Health (HPH) sector. Notably, Rhysida was responsible for a recent cyberattack on Prospect Medical Holdings, which experienced a system-wide outage affecting 17 hospitals and 166 clinics across the United States.

However, the scale of Rhysida’s activities has reached perilous levels, with victims scattered across Western Europe, North and South America, and Australia. For example, a healthcare institution in Australia found itself listed on Rhysida’s dark web data leak site, given a week to pay the ransom before data leakage.

How Rhysida Operates

According to various reports, the threat group typically initiates attacks through phishing emails, employing Cobalt Strike and PowerShell scripts for lateral movement before deploying the ransomware payload. Notably, Rhysida’s PowerShell scripts actively terminate antivirus processes, delete shadow copies, and modify RDP configurations, suggesting ongoing development and evolution of the ransomware’s functionalities.

According to HHS`s security bulletin, the group employs a ransom note threatening public data distribution, aligning with double-extortion practices. These ransom notes, written as PDFs, are deposited in affected folders on targeted drives, with the document content embedded in the binary in plain text.

 Rhysida ransom note, CriticalBreachDetected.pdf

Source

Victims are directed to contact the attackers via a TOR-based portal, using their unique identifier from the ransom note. Rhysida exclusively accepts Bitcoin, offering guidance on its acquisition and use on the victim portal. Once a unique ID is submitted, victims can provide further details like authentication and contact information via an additional form.

The Heimdal® Take

The emergence of Rhysida as a potent ransomware threat, with a particular focus on healthcare and public health sectors, raises significant concerns.

Heightened awareness, robust defenses, and proactive measures are crucial to countering the escalating threat posed by Rhysida and other such threats, as well as their potential implications for various industries.

Heimdal is equipping its clients with an exceptional integrated cybersecurity suite, featuring the Ransomware Encryption Protection module. This module operates entirely without relying on signatures and boasts seamless compatibility with all antivirus solutions, guaranteeing exceptional detection and resolution capabilities for all forms of ransomware, regardless of whether they are fileless or file based.

Heimdal Official Logo
Neutralize ransomware before it can hit.

Heimdal™ Ransomware Encryption Protection

Specifically engineered to counter the number one security risk to any business – ransomware.
  • Blocks any unauthorized encryption attempts;
  • Detects ransomware regardless of signature;
  • Universal compatibility with any cybersecurity solution;
  • Full audit trail with stunning graphics;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

Do you work for an NHS Trust? Heimdal is giving you free ransomware licenses to combat growing cyberattacks.

Get your free ransomware protection here.

If you liked this article, follow us on LinkedInTwitterFacebook, and YouTube for more cybersecurity news and topics.

Author Profile

Mihaela Popa

COMMUNICATIONS & PR OFFICER

Mihaela is a digital content creator for Heimdal® and the proud owner of an old soul and a curious mind. Passionate to learn and discover more about cybersecurity, she will gladly share her latest finds with you.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE