It has been claimed that Rhysida, an ever-evolving ransomware group, is responsible for the recent cyberattack on Prospect Medical Holdings during which hospitals and medical facilities in four states have been attacked. As a result, Prospect Medical Holdings was forced to take its systems down earlier this month.
The Prospect Health Group operates 16 hospitals in California, Connecticut, Pennsylvania, and Rhode Island, as well as more than 165 clinics and outpatient facilities throughout these states. According to Callow, many US healthcare systems have been affected by ransomware this year, infecting at least 53 hospitals under their control, and at least 20 of these organizations have had their data stolen as a result of the attack.
The Department of Health and Human Services issued an alert earlier this month to warn people about Rhysida, a ransomware-as-a-service group that first arose in mid-May. The group is currently in its infancy and does not have some advanced features such as plaintext strings that reveal registry modification commands as well as some advanced features such as plaintext strings that display registry management commands.
There have been major attacks on organizations in several sectors including education, government, manufacturing, technology, and managed service providers by Rhysida. As part of its ongoing data leak investigation, the Federal Bureau of Investigation has revealed that most of the data stolen from eleven victims have been uploaded to the threat actor's data leak site between June and the beginning of August.
As a result of a cyberattack launched by the Rhysida ransomware group on Prospect Medical Holdings, the group claims to have gained access to 500,000 social security numbers, confidential corporate records, and patient records from the company.
A ransom note was reportedly displayed on employee screens the day after the attack, warning that their network had been compromised and their devices had been encrypted as a result of the attack, which was believed to have occurred on August 3rd.
There is a claim that Rhysida has more than one terabyte of stolen data on her hands, along with an SQL database containing more than 1.3 terabytes of data. In the listing on the dark web, the group offered to sell the data for 50 bitcoin, which would equate to roughly $1.3 million, based on the listing that was made available.
BleepingComputer later found out that the Rhysida ransomware gang was behind the attack even though PMH did not respond to questions about the security incident. According to current reports, PMH hospital networks, including CharterCare, have been able to successfully restore the functionality of the hospital networks' systems. However, efforts remain ongoing to make sure that patient records are reinstated as soon as possible.
Earlier this month, the Department of Health and Human Services (HHS) warned that the hacker group Rhysida seemed to be responsible for recent attacks against healthcare organizations, with a claim of responsibility for the attack on Prospect Medical.
Described by the Department of Health and Human Services (HHS) as a new ransomware-as-a-service (RaaS) group, Rhysida has emerged since May 2023.
An HHS official said the group encrypts a target's networks through Cobalt Strike and phishing attacks to breach their targets' networks and plant their malicious payloads on those networks.
Once the victim has not paid the ransom, the group threatens the victim by releasing all of the data that has been exfiltrated.
HHS has indicated that Rhysida is still in its infancy and there are limited advanced features that it has developed, as evidenced by its name Rhysida-0.1, and the lack of advanced features.
According to the report, the ransomware also leaves PDF notes in the affected folders instructing victims to contact the group through their portal and pay in Bitcoin.
There are numerous countries across Western Europe, North and South America, as well as Australia that have been affected by Rhysida and its victims.
It is primarily focused on the education, government, manufacturing technology, and managed services industries that are attacked by these cyber criminals.
As exemplified by the attack on PMH, they have recently attacked the healthcare and public health sectors, and this has had a significant impact on the healthcare industry. There have been several ransomware gangs who have claimed credit for attacks in the past, including Rhysida, said Emily Phelps, director at Cyware.