The 16 hospitals struck down by ransomware last week are still dealing with the fallout from the attack. The healthcare facilities located in Connecticut, Pennsylvania, Rhode island, and California had the ransomware attack confirmed by the FBI. Issues started to emerge last Thursday with patients diverted to other locations and some operations put on hold.
The AP reported that staff were forced to resort to pen and paper and manually running records to different departments. When dealing with potentially critical health issues, every second counts, and this is especially the case where so much critical healthcare equipment is reliant on networks and interconnected digital systems.
A recent Facebook update from Waterbury Hospital, CT reads as follows:
Our computer systems continue to be down throughout the network. We are following downtime procedures including the use of paper records. The outage has affected some of our outpatient services, mostly diagnostic imaging and blood draw and some patient appointments. We have contacted and will continue to contact any affected patients.
The post also states that a diagnostic radiology department is affected.
At the time of the attack, no ransomware group had claimed responsibility for the network breach. Now, according to The Record, several sources told Recorded Future News that the ransomware group behind this widespread attack is Rhysida. It’s standard practice that law enforcement will not comment on a ransomware group directly while an investigation is taking place.
What’s interesting given the alleged claims from sources is that the US Department of Health and Human Services recently published a warning to hospitals last week about this specific group. The document said about Rhysida:
Rhysida is a new ransomware-as-a-service (RaaS) group that has emerged since May 2023. The group drops an eponymous ransomware via phishing attacks and Cobalt Strike to breach targets’ networks and deploy their payloads. The group threatens to publicly distribute the exfiltrated data if the ransom is not paid. Rhysida is still in early stages of development, as indicated by the lack of advanced features and the program name Rhysida-0.1.
The ransomware also leaves PDF notes on the affected folders, instructing the victims to contact the group via their portal and pay in Bitcoin. Its victims are distributed throughout several countries across Western Europe, North and South America, and Australia. They primarily attack education, government, manufacturing, and technology and managed service provider sectors; however, there has been recent attacks against the Healthcare and Public Health (HPH) sector.
The HHS notes that the ransomware is relatively new. When it first made an appearance on our Ransomware Review in July of this year, we said the following:
Rhysida, a new ransomware gang claiming to be a "cybersecurity team," has been in operation since May 17, 2023, making headlines for their high-profile attack against the Chilean Army.
The gang published a whopping eighteen victims on their leak site in June, making it one of the most prolific newcomers in our month reviews to-date.
In terms of how Rhysia spreads, the primary methods of infection include phishing attacks, and dropping payloads across compromised systems once Cobalt Strike or other command and control frameworks are in place. Once the ransomware has taken hold, the group uses tried and tested double threat extortion tactics. A ransom note threatens to distribute stolen data publicly unless the ransom is paid.
The threat isn’t “just” locked computers, or patients unable to be assisted. There’s the very real possibility of said patients having their medical or other personal data thrown online for all to see.
Some ransomware groups won’t touch medical attacks for fear of reprisals. On many occasions where a medical facility or healthcare provider has been attacked, those responsible will apologise and provide free decryption tools. Others will do much the same thing alongside blaming rogue affiliates.
Certain attacks simply draw too much heat and generate waves of negative publicity for the culprits. If your entire gimmick is that you can (just about) be trusted to unlock PCs and return data if you receive a ransom, taking down hospitals will not encourage others to trust you.
All this leads to in the long term is a probable drop in ill-gotten gains, and you can bet the ransomware authors would prefer that to not be the case.
Hopefully, all of the impacted healthcare operations will be back up and running soon. We'd suggest anyone potentially affected keep in touch with their local hospital and pay attention to the updates page for more information.
How to avoid ransomware
- Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
- Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
- Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
- Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
- Don’t get attacked twice. Once you've isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.
Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.