Verticals Targeted: Healthcare
Key Takeaways
Background
In a separate incident occurring in late July, Rhysida ransomware group claimed responsibility for an attack on Bayhealth Hospital in Delaware. Rhysida reportedly stole data and demanded a ransom of 25 Bitcoin to not leak the data. The August 14th deadline for the ransom payment is fast approaching.
What is INC?
INC ransomware has been active since summer 2023. While INC is a relatively new ransomware group, they are quickly gaining notoriety due to their sophisticated TTPs, elusive nature, and high profile targets. INC appears to choose its targets carefully, rather than targeting opportunistically. INC’s targets have included entities in the US, UK, and Australia. Targeted verticals include government, healthcare, professional services, manufacturing, construction, and others.
Earlier this year, INC claimed responsibility for targeting numerous healthcare vertical entities, including NHS Dumfries and Galloway, West Idaho Orthopedics, Norman Urology Associates, Sisu Healthcare, and Otolaryngology Associates.
What is Rhysida?
Rhysida ransomware has been active since at least May 2023 and is ransomware as a service (RaaS). For initial access and persistence, the Rhysida threat actors leverage external-facing remote services, such as VPNs. They appear to obtain access using compromised but valid credentials, taking advantage of connections that do not require multi-factor authentication (MFA) for login. Rhysida threat actors have been observed leveraging Zerologon (CVE-2020-1472), a vulnerability in Microsoft’s Netlogon Remote Protocol that results in a critical elevation of privileges.
Rhysida threat actors use living off-the-land techniques such as RDP for lateral movement, allowing them to establish VPN access and utilize PowerShell while evading detection. Rhysida threat actors have been observed using ipconfig, whoami, nltest, and net commands to gather domain information and enumerate victim environments. They use a combination of both legitimate and malicious tools, including cmd.exe, PowerShell.exe, PsExec.exe, mstsc.exe, PuTTy.exe, PortStarter, secretsdump, ntdsutil.exe, AnyDesk, wevtutil.exe, and PowerView. They are also known to engage in phishing.
After obtaining access to the victim network, Rhysida uses Cobalt Strike for lateral movement. The threat actors reportedly use PsExec to deploy PowerShell scripts and the Rhysida payload. To evade detection, Rhysida uses a PowerShell script known as SILENTKILL to terminate antivirus, delete shadow copies, modify RDP configurations, and change the Active Directory password. Rhysida uses a 4096-bit RSA key and ChaCha20 for file encryption and appends the .rhysida extension to encrypted files.
Rhysida has previously targeted entities in the education, government, manufacturing, and technology verticals and was first observed targeting the healthcare vertical in August 2023. This activity resulted in an HHS Health Sector Cybersecurity Coordination Center security alert being issued at the time.
Implications of Ransomware Attacks on Healthcare Entities
Potential harm to patients as a result of ransomware attacks is of greatest concern. These attacks can cause disruption of healthcare operations, leading to death or injury due to delayed treatments, ambulances being diverted to other facilities, and equipment failure. An often-cited case of ransomware endangering a life in a 2019 incident in which a newborn baby died from fatal brain damage after a ransomware attack caused heart rate monitors to fail.
Data theft and data leaks are potential concurrent threats often related to ransomware attacks. Threat actors can potentially use stolen PII and healthcare data for extortion, social engineering, fraud, and identity theft. Sometimes data theft is used in conjunction with a ransomware attack for double or triple extortion, with the threat actors threatening to leak or sell stolen data if the ransom is not paid. Data leaks, even when unintentional, can lead to privacy violations and misuse of patient information. Unintentionally leaked data, in the wrong hands, can be used for the same malicious purposes as stolen data.
Healthcare entities also suffer financially and operationally when they are the victims of a ransomware attack. According to a report from IBM, the average cost of a healthcare data breach was nearly $11 million USD in 2023. Although more likely to pay the demanded ransom, healthcare entities typically recover less stolen data than entities in other verticals. Healthcare entities also have a high cost of recovery from such attacks and take longer to recover from a ransomware attack than most verticals.
IOCs
PolySwarm has multiple samples of these ransomware families.
INC
fcefe50ed02c8d315272a94f860451bfd3d86fa6ffac215e69dfa26a7a5deced
ca9d2440850b730ba03b3a4f410760961d15eb87e55ec502908d2546cd6f598c
47873072a0ed065e2f240da3e8b10e7251b9596a82cf0375bfc17f60708b8f74
869d6ae8c0568e40086fd817766a503bfe130c805748e7880704985890aca947
11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd
f655b44603b3caab99d068ff5d7101fb83ffc03ad4e987b2579d55971a82bded
You can use the following CLI command to search for all INC samples in our portal:
$ polyswarm link list -f INC
Rhysida
a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6
6903b00a15eff9b494947896f222bd5b093a63aa1f340815823645fd57bd61de
3bc0340007f3a9831cb35766f2eb42de81d13aeb99b3a8c07dee0bb8b000cb96
2a3942d213548573af8cb07c13547c0d52d1c3d72365276d6623b3951bd6d1b2
250e81eeb4df4649ccb13e271ae3f80d44995b2f8ffca7a2c5e1c738546c2ab1
You can use the following CLI command to search for all Rhysida samples in our portal:
$ polyswarm link list -f Rhysida
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.