Hospital Ransom Attack in the US Claimed by Rhysida Cybergang

This post is also available in: עברית (Hebrew)

The ransomware attack that began August 3rd, in which several US hospitals were forced to stay offline for weeks has been claimed by the Rhysida ransom group.

The ransomware gang did not only post PMH (Prospect Medical Holdings) as a victim on their dark leak site, but they also set up a live auction to sell more than two terabytes of data allegedly stolen in the attack.

According to Cybernews, the group claims to have “kindly been provided” the sensitive data of over half a million PMH patients and employees, including social security numbers, passports, driver’s licenses, patient medical files, as well as legal and financial documents.

Rhysida posted that the files will be available for purchase, claiming they had “Total 1TB unique files, as well as 1.3TB SQL database.” The group has set a countdown clock set to expire on September 1st, nine days from Thursday’s auction post.

Who is Rhysida?

A warning bulletin released by the US Department of Health and Human Services on August 4th states that Rhysida is named after a large species of toxic centipede originating from Africa. It is thought to have ties to the Vice Society ransom gang, which is notorious for its attacks on the education sector, primarily in the US, Canada, and the UK.

According to Cybernews, Rhysida operates as a ransomware-as-a-service (RaaS) group and was first seen in May of this year. There are currently 40 victims listed on Rhysida’s dark leak site.

The gang typically deploys phishing attacks and Cobalt Strike to breach a victim’s network and deploy their payloads. It is known for targeting the healthcare industry, although it has also hit the education, government, manufacturing, and technology sectors. It seems that Rhysida primarily focuses on targets in Western Europe, North and South America, and Australia.