Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Medical Breach. Show all posts

Rhysida Ransomware Hits Seattle Port in August Attack

 


As part of its investigation, the Port of Seattle, which operates Seattle-Tacoma International Airport in the city, has determined that the Rhysida ransomware gang is responsible for the cyberattack that allowed it to reach its systems last month, causing travel delays for travellers. There has been a ransomware attack targeting the Port of Seattle as early as Friday, the Port announced in a statement. 

As a result of the attack, which happened on August 24, the Port (which is also responsible for operating Seattle-Tacoma International Airport) announced that "certain system outages have indicated a possibility of a cyberattack." It is important to note that the SEA Airport and its associated facilities remained open after the storm, but passenger displays, Wi-Fi, check-in kiosks, ticketing, baggage, and reserved parking were impacted, as well as the flySEA application and the Port website.

According to a press release that was released on September 13, the Port reported that most of the affected systems had been restored within a week of the attack taking place. As of yet, the Port of Dusseldorf has not been able to relaunch the external website or the internal portals that were offline after securing the impacted systems and finding no signs of additional malicious activity. 

As far as Port systems were concerned, this incident was a "ransomware" attack by Rhysida, a criminal organization that specializes in cybercrime. Since that day, no new unauthorized activity has been conducted on those systems. In a press release, they stressed that it was safe to fly to Seattle-Tacoma International Airport and use the port's maritime facilities. 

During this time, the Port's decision to take systems offline was accompanied by the ransomware gang's encryption of the ones that were not isolated in time, resulting in a series of outages impacting a variety of services and systems, including baggage, check-in kiosks, ticketing, wireless Internet, passenger display boards, the Port of Seattle website, flySEA app, and reservations. 

A ransomware attack believed to have been launched by the Rhysida hacker group can be blamed for encrypting some of the data on the Port's computer systems using the ransomware. It was the result of this encryption and the Port's response to isolate the impacted systems as soon as possible that there were delays at the Sea-Tac Airport with baggage services, check-in kiosks, ticketing, Wi-Fi, displays, the Port's website and the flySEA app having issues. 

The majority of these issues have since been resolved; however, the airport's website and internal portals remain down as of this writing, as stated in an update posted by the Port of Los Angeles. In the wake of the cyber attack at the airport, the Port of Los Angeles is still unsure exactly how much or what kind of data was taken by the attackers, but the Port cannot afford to pay the ransom demand. There are no details about what kind of data have been compromised in the attack; however, the data may likely be of great value due to the sector of the business in which the agency operates. 

There is also another reason that the Port of Seattle is such a hotbed of automation and machine learning technologies, which means it's a goldmine for attackers in terms of data. In the world of ransomware, Rhysida is one of the more well-known gangs, especially for the way they target organizations that run critical systems for which downtime is not an option. 

A hacker group known as the Black Hat Network has in the past targeted healthcare organizations such as the Lurie Children's Hospital and Prospect Medical Holdings as targets. As of May 2024, the number of patients affected by this massive data breach had increased from a few hundred to nearly a million. The company claimed that the Singing River ransomware attack occurred in September 2023.

In addition to educational institutions and the manufacturing industry, the HHS Health Sector Cybersecurity Coordination Center has also reported that the group has targeted the Chilean army, as well as universities and hospitals, according to the report. Health and Human Services (HHS) in the United States has implicated Rhysida in an attack against healthcare organizations in the country. 

As CISA and the FBI made their warnings at the same time, different industries and sectors of society were being targeted by opportunistic attacks by this cybercrime gang at the same time. In November, Rhysida ransomware operators successfully breached Insomniac Games, a subsidiary of Sony, and subsequently leaked 1.67 TB of confidential documents on the dark web. This occurred after the game development studio declined to meet the group’s demand for a $2 million ransom. 

Rhysida's affiliates have also been involved in attacks on several other high-profile organizations. The City of Columbus, Ohio, MarineMax (the world's largest retailer of recreational boats and yachts), and the Singing River Health System have all fallen victim to this ransomware group. In particular, Singing River Health System reported that almost 900,000 individuals were notified of a data breach resulting from an August 2023 ransomware attack, in which sensitive personal information was compromised.

United Health Allegedly Paid $22M Ransomware


Change Healthcare breach

There is evidence that the ransomware group behind the Change Healthcare breach, which has caused chaos for hospitals and pharmacies attempting to handle prescriptions, may have received $22 million from UnitedHealth Group.

Researchers studying security issues discovered a post made by an associate member claiming to be a member of the ALPHV/Blackcat ransomware group in a Russian forum used by cybercriminals. According to the member, Optum, a subsidiary of UnitedHealth Group, paid $22 million to obtain a decryption key and "prevent data leakage" to escape the continuous disruption at Change Healthcare, another UnitedHealth subsidiary.

After that, the forum post provides a link to a Bitcoin wallet that appears to have received 350 bitcoins. ALPHV, which mentions Recorded Future and TRM Labs as security companies, has also been linked to the same wallet.  

$22 Million ransom?

Ironically, the affiliate member divulged claims that they were duped out of that $22 million by the administrators of ALPHV. The affiliate member continues, saying, "Be careful everyone, and stop dealing with ALPHV." They claim to still have 4TB of Change Healthcare stolen data.  

A representative for UnitedHealth Group stated, "All I can share is that we remain focused on the investigation and recovery of our operations," in response to the alleged Bitcoin payment.

With no assurances that any of the stolen data will be erased, $22 million would rank among the largest ransomware payments if it turns out to be accurate. The current record holder is a $40 million payout made in 2021 by insurance behemoth CNA.

Additionally, the $22 million might give ransomware groups greater confidence to target the US health industry. For Change Healthcare, "connectivity issues" are still present on the platform two weeks after the ransomware outbreak started. Congressmen in the US were even moved by the disruption to request federal funding to cover the prescriptions' interim costs.

Why it is important?

The latest provider group to call for action in response to the disruption brought on by the cyberattack is the American Medical Association.

The American Medical Association has requested that the Biden administration provide emergency funding to doctors impacted by the outage.

The AMA wrote to Health and Human Services Secretary Xavier Becerra that physician practices have been forced to go without revenue for the twelfth day due to the cyber-takedown of Change Healthcare. 

The American Medical Association is pleading with Becerra to make use of all the powers at her disposal to guarantee the survival of medical practices and the provision of necessary treatment to patients.

The bigger picture

Speaking out about the interruptions to payments and operations brought about by Change's cybersecurity compromise, the AMA joins the AHA and MGMA in this regard.

This "is not even a band-bid on the payment problems," the American Hospital Association stated in a letter dated March 4 to Dirk McMahon, president, and chief operating officer of UnitedHealth Group, in response to the company's offer of Temporary Funding Assistance Program to resume hospital payment operations.

In a letter to the Department of Health and Human Services, MGMA requested enforcement discretion, financial resources, and direction to prevent what it described as a worsening of the negative effects on medical groups.