Ransomware Actors’ Recent Rhysida Attacks Highlight a Rising Threat on HealthCare Institutions


The threat organisation behind for the rapidly expanding Rhysida ransomware-as-a-service operation has claimed responsibility for an Aug. 19 attack that disrupted systems at Singing River Health System, one of Mississippi’s leading healthcare facilities. 

The attack comes on the heels of one in August against California’s Prospect Medical Holdings, which affected 16 hospitals and more than 160 clinics across the country. The extensive nature of the incident caused the Health Sector Cybersecurity Coordination Centre to issue a notice to other organisations in the industry. 

Fatal attack

The attack on Singing River impacted three hospitals and ten clinics in the system, and it is expected to solidify Rhysida’s reputation as a growing threat to healthcare organisations in the United States. It’s also a reminder of the growing interest in the sector from ransomware perpetrators, who pledged early in the COVID-19 outbreak not to target hospitals or other healthcare facilities. 

Check Point Software’s threat intelligence group manager, Sergey Shykevich, who is tracking the Rhysida operation, says he can confirm the Rhysida group has disclosed only a small portion of data allegedly belonging to Singing River on its leak disclosure site. 

The gang has stated that it is willing to sell all of the data it has acquired from the healthcare system for 30 Bitcoin, which is approximately $780,000 at today’s pricing. “We sell only to one hand, no reselling, you will be the sole owner,” the group stated in a Facebook post. 

After debuting in May and quickly establishing itself as a serious threat in the ransomware world, Rhysida—named after a kind of centipede—has gained widespread attention. The group first targeted organisations in the government, managed service provider, education, manufacturing, and technology sectors. The threat group entered the healthcare industry with its attack on Prospect. 

Earlier this year, when looking into a ransomware attack on a university, Check Point first came across Rhysida. The threat actor’s tactics, techniques, and procedures were examined by the security vendor, who found similarities between them and the TTPs of Vice Society, another extremely active threat actor that has been focusing on the health and education sectors since at least 2021. 

Lucrative target

The expansion of the Rhysida operation into the field of healthcare shows how significant the sector is to threat actors. Healthcare organisations offer a real gold mine of personal identity and health information that can be profited from in a variety of ways for individuals with illicit motives. 

Threat actors are also aware that health organisations are more willing to pay a ransom to bargain their way out of an attack and prevent disruptions that could impair their ability to deliver patient care.

“Attacks on healthcare providers have two main significant implications,” Shykevich explained. “The hospital’s ability to provide basic services to its patients and [on] the patients’ sensitive data. Following such cyberattacks, the data quickly makes its way to Dark Web markets and forums.” 

This attack is simply one of many ransomware and other types of incidents that have targeted healthcare organisations this year. The attacks uncovered a total of more than 41 million records in the first half of 2023 alone. According to data maintained by the Office for Civil Rights of the US Department of Health and Human Services, the organisation is now looking into more than 440 incidents that healthcare organisations reported during the first eight months of this year.

%d bloggers like this: