Rhysida Ransomware On the Rise & Aims Sights on Healthcare Industry

Category: Ransomware News | Industries: Education, Financial, Government, Healthcare, Insurance, Manufacturing, Technology | Source: Trend Micro

The Rhysida ransomware gang has gained significant attention due to its alleged involvement in disrupting Prospect Medical hospitals on August 3rd, 2023. This incident resulted in outages that impacted 16 hospitals across four states. In a report released by Trend Micro, researchers provide a summary of known activity attributed to Rhysida ransomware captured between May 2023 to August 2023. Notably, their victim profile favors healthcare organizations, although the group does appear to cast a wide net targeting other verticals in education, financial services, government, insurance, manufacturing, and technology. Geographically, the country most impacted by Rhysida has been Indonesia followed by Germany, the United States, and Israel.

Infection chains initiated from Rhysida have utilized phishing emails, Cobalt Strike for lateral movement, PsExec, and PowerShell scripts to inhibit system monitoring and recovery as well as their ransomware encryptor. "The PowerShell script (g.ps1), detected as Trojan.PS1.SILENTKILL.A, is used by the threat actors to terminate antivirus-related processes and services, delete shadow copies, modify remote desktop protocol (RDP) configurations, and change the active directory (AD) password," as explained in Trend Micro"s report. Another odd characteristic of Rhysida is in their ransom notes, the actors pose as a "cybersecurity team," issuing warnings to the targeted organization about the compromise of their systems.