The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Rhysida and LockBit Observed Targeting the Healthcare Vertical

Aug 14, 2023 2:34:16 PM / by The Hivemind

RHYSIDERelated Families: Rhysida, SILENTKILL, LockBit
Verticals Targeted: Healthcare

Executive Summary

Rhysida and LockBit ransomware families were both recently observed targeting healthcare vertical entities.

Key Takeaways

  • Rhysida and LockBit were both recently observed targeting healthcare vertical entities.
  • Rhysida ransomware has expanded the scope of its targeting to include the healthcare vertical. 
  • LockBit claimed to have possession of cancer patient data and has threatened to leak the data. 

Rhysida Broadens Targeting to Include Healthcare

Rhysida ransomware, which has been active since at least May 2023, was recently observed broadening its targeting to include healthcare vertical entities. Trend Micro reported on this activity.

Rhysida is ransomware as a service (RaaS). It uses a 4096-bit RSA key and ChaCha20 for file encryption and appends the .rhysida extension to encrypted files. Rhysida has previously targeted entities in the education, government, manufacturing, and technology verticals. However, they have recently begun targeting the healthcare vertical. Rhysida's activity resulted in an HHS Health Sector Cybersecurity Coordination Center security alert being issued.

Rhysida uses phishing for initial access. The threat actors behind the malware post as a “cybersecurity team” offering to find security flaws in the target’s networks. After obtaining access to the victim network, Rhysida uses Cobalt Strike for lateral movement. The threat actors reportedly used PsExec to deploy PowerShell scripts and the Rhysida payload. To evade detection, Rhysida uses a PowerShell script known as SILENTKILL to terminate antivirus, delete shadow copies, modify RDP configurations, and change the Active Directory password.

The Rhysida ransom note uses a unique approach. Rather than directly demanding a ransom payment, the note appears to be an alert from the Rhysida “cybersecurity team” warning victims that their system has been compromised and their files are encrypted. As a solution, the victim must pay for a “unique key” to use to decrypt the files. 

LockBit Threatens to Leak Cancer Patient Data

Security Affairs reported that LockBit has threatened to leak cancer patient data. LockBit, one of the more infamous ransomware families, was first observed in the wild in 2019. It operates as RaaS. Variants of LockBit targeting both Windows and MacOS are available. The threat actors behind LockBit often use a double extortion model, threatening to leak stolen files if the ransom is not paid within the specified time.

Recently, LockBit was used to target Varian Medical Systems, a company that sells medical devices and software used for cancer treatment. LockBit claimed to have possession of all databases and patient data. They then threatened to leak the data if a ransom is not paid by the August 17th deadline.



PolySwarm has multiple samples of Rhysida.




You can use the following CLI command to search for all Rhysida samples in our portal:

$ polyswarm link list -f Rhysida


PolySwarm has multiple samples of LockBit and actively monitors this ransomware family on an ongoing basis. A selection of LockBit hashes are provided below.





















You can use the following CLI command to search for all LockBit samples in our portal:

$ polyswarm link list -f Lockbit


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports


Topics: Threat Bulletin, Ransomware, LockBit, Healthcare, SILENTKILL, Rhysida

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts