Client Alert – Ransomware Targeting Healthcare Providers and Other Companies

Over the weekend, a national healthcare chain was struck by a ransomware attack, causing widespread network outages and forcing some patients to be diverted to other hospitals, according to news reports.

Ransomware is a form of malware designed to encrypt files, rendering them and any dependent systems unusable. Malicious actors often demand ransom payments in exchange for the decryption keys.

According to the US Department of Health and Human Services Health Sector Cybersecurity Coordination Center (HC3), the strain of malware used in the attack is known as “Rhysida Ransomware.” Rhysida is a ransomware-as-a-service (RaaS) group that drops ransomware via phishing attacks and a malicious implant on a compromised system that calls back to the attacker and checks for additional commands to execute on the compromised system to breach targets’ networks and deploy their malware. The group threatens to publicly distribute the exfiltrated data if the ransom is not paid. The ransomware also leaves PDF notes on the affected folders, instructing the victims to contact the group via their portal and pay in Bitcoin. Rhysida describes itself as a “cybersecurity team” that aims to help victims highlight potential security issues and secure their networks.

Clients should assess the HC3 Sector Alert, which provides more background on Rhysida, including current indicators of compromise (IOCs) and security recommendations to defend against the Rhysida malware.

Companies, including in the healthcare space, should consider proactive, basic cyber-hygiene as a means of reducing the risk of compromise by ransomware and other malware attacks. Measures include conducting regular vulnerability scanning; maintaining offline, encrypted backups of data; regularly patching and updating software, including operating systems; having a well-exercised incident response plan; and conducting ongoing employee awareness on the consequences of phishing and other forms of social engineering that trick employees to download malware.

For more information on protecting your organization from cyber threats, contact the BRG Cybersecurity and Investigations practice.