The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Recent Ransomware Attacks on the Healthcare Vertical

Aug 19, 2024 12:54:46 PM / by The Hivemind

RECENT RANSOMEWARERelated Families: Rhysida, INC
Verticals Targeted: Healthcare

Executive Summary

Since late July, at least two ransomware groups have allegedly targeted healthcare vertical entities. The attacks were attributed to INC and Rhysida ransomware groups.

Key Takeaways

  • Since late July, at least two ransomware groups have allegedly targeted healthcare vertical entities.
  • A recent attack on McLaren Health Care in Michigan was attributed to INC ransomware. 
  • In a separate incident occurring in late July, Rhysida ransomware group claimed responsibility for an attack on Bayhealth Hospital in Delaware.
  • Potential implications of ransomware attacks on healthcare entities include threats to patient safety and privacy, data theft, financial loss, and operational disruption.

Background

Since late July, at least two ransomware groups have allegedly targeted healthcare vertical entities. A recent attack on McLaren Health Care in Michigan was attributed to INC ransomware. McLaren Health Care reported it was experiencing a disruption to its information technology system. While McClaren did not specify it had been the victim of a ransomware attack, Bleeping Computer reportedly found evidence in the wild of an INC ransomware ransom note shared by a McLaren Health Care employee. 

In a separate incident occurring in late July, Rhysida ransomware group claimed responsibility for an attack on Bayhealth Hospital in Delaware. Rhysida reportedly stole data and demanded a ransom of 25 Bitcoin to not leak the data. The August 14th deadline for the ransom payment is fast approaching. 

What is INC?

INC ransomware has been active since summer 2023. While INC is a relatively new ransomware group, they are quickly gaining notoriety due to their sophisticated TTPs, elusive nature, and high profile targets. INC appears to choose its targets carefully, rather than targeting opportunistically. INC’s targets have included entities in the US, UK, and Australia. Targeted verticals include government, healthcare, professional services, manufacturing, construction, and others.  

Earlier this year, INC claimed responsibility for targeting numerous healthcare vertical entities, including NHS Dumfries and Galloway, West Idaho Orthopedics, Norman Urology Associates, Sisu Healthcare, and Otolaryngology Associates.

What is Rhysida?

Rhysida ransomware has been active since at least May 2023 and is ransomware as a service (RaaS). For initial access and persistence, the Rhysida threat actors leverage external-facing remote services, such as VPNs. They appear to obtain access using compromised but valid credentials, taking advantage of connections that do not require multi-factor authentication (MFA) for login. Rhysida threat actors have been observed leveraging Zerologon (CVE-2020-1472), a vulnerability in Microsoft’s Netlogon Remote Protocol that results in a critical elevation of privileges.

Rhysida threat actors use living off-the-land techniques such as RDP for lateral movement, allowing them to establish VPN access and utilize PowerShell while evading detection. Rhysida threat actors have been observed using ipconfig, whoami, nltest, and net commands to gather domain information and enumerate victim environments. They use a combination of both legitimate and malicious tools, including cmd.exe, PowerShell.exe, PsExec.exe, mstsc.exe, PuTTy.exe, PortStarter, secretsdump, ntdsutil.exe, AnyDesk, wevtutil.exe, and PowerView. They are also known to engage in phishing.

After obtaining access to the victim network, Rhysida uses Cobalt Strike for lateral movement. The threat actors reportedly use PsExec to deploy PowerShell scripts and the Rhysida payload. To evade detection, Rhysida uses a PowerShell script known as SILENTKILL to terminate antivirus, delete shadow copies, modify RDP configurations, and change the Active Directory password. Rhysida uses a 4096-bit RSA key and ChaCha20 for file encryption and appends the .rhysida extension to encrypted files.

Rhysida has previously targeted entities in the education, government, manufacturing, and technology verticals and was first observed targeting the healthcare vertical in August 2023. This activity resulted in an HHS Health Sector Cybersecurity Coordination Center security alert being issued at the time.  

Implications of Ransomware Attacks on Healthcare Entities

Potential harm to patients as a result of ransomware attacks is of greatest concern. These attacks can cause disruption of healthcare operations, leading to death or injury due to delayed treatments, ambulances being diverted to other facilities, and equipment failure. An often-cited case of ransomware endangering a life in a 2019 incident in which a newborn baby died from fatal brain damage after a ransomware attack caused heart rate monitors to fail.

Data theft and data leaks are potential concurrent threats often related to ransomware attacks. Threat actors can potentially use stolen PII and healthcare data for extortion, social engineering, fraud, and identity theft. Sometimes data theft is used in conjunction with a ransomware attack for double or triple extortion, with the threat actors threatening to leak or sell stolen data if the ransom is not paid. Data leaks, even when unintentional, can lead to privacy violations and misuse of patient information. Unintentionally leaked data, in the wrong hands, can be used for the same malicious purposes as stolen data. 

Healthcare entities also suffer financially and operationally when they are the victims of a ransomware attack. According to a report from IBM, the average cost of a healthcare data breach was nearly $11 million USD in 2023. Although more likely to pay the demanded ransom, healthcare entities typically recover less stolen data than entities in other verticals. Healthcare entities also have a high cost of recovery from such attacks and take longer to recover from a ransomware attack than most verticals. 

IOCs

PolySwarm has multiple samples of these ransomware families.

 

INC

fcefe50ed02c8d315272a94f860451bfd3d86fa6ffac215e69dfa26a7a5deced

ca9d2440850b730ba03b3a4f410760961d15eb87e55ec502908d2546cd6f598c

47873072a0ed065e2f240da3e8b10e7251b9596a82cf0375bfc17f60708b8f74

869d6ae8c0568e40086fd817766a503bfe130c805748e7880704985890aca947

11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd

f655b44603b3caab99d068ff5d7101fb83ffc03ad4e987b2579d55971a82bded

 

You can use the following CLI command to search for all INC samples in our portal:

$ polyswarm link list -f INC

 

Rhysida

a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6

6903b00a15eff9b494947896f222bd5b093a63aa1f340815823645fd57bd61de

3bc0340007f3a9831cb35766f2eb42de81d13aeb99b3a8c07dee0bb8b000cb96

2a3942d213548573af8cb07c13547c0d52d1c3d72365276d6623b3951bd6d1b2

250e81eeb4df4649ccb13e271ae3f80d44995b2f8ffca7a2c5e1c738546c2ab1

 

You can use the following CLI command to search for all Rhysida samples in our portal:

$ polyswarm link list -f Rhysida

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

Topics: Threat Bulletin, Ransomware, Healthcare, Disbuk, Rhysida, INC

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More