The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Rhysida and LockBit Observed Targeting the Healthcare Vertical

Aug 14, 2023 2:34:16 PM / by The Hivemind

RHYSIDERelated Families: Rhysida, SILENTKILL, LockBit
Verticals Targeted: Healthcare

Executive Summary

Rhysida and LockBit ransomware families were both recently observed targeting healthcare vertical entities.

Key Takeaways

  • Rhysida and LockBit were both recently observed targeting healthcare vertical entities.
  • Rhysida ransomware has expanded the scope of its targeting to include the healthcare vertical. 
  • LockBit claimed to have possession of cancer patient data and has threatened to leak the data. 

Rhysida Broadens Targeting to Include Healthcare

Rhysida ransomware, which has been active since at least May 2023, was recently observed broadening its targeting to include healthcare vertical entities. Trend Micro reported on this activity.

Rhysida is ransomware as a service (RaaS). It uses a 4096-bit RSA key and ChaCha20 for file encryption and appends the .rhysida extension to encrypted files. Rhysida has previously targeted entities in the education, government, manufacturing, and technology verticals. However, they have recently begun targeting the healthcare vertical. Rhysida's activity resulted in an HHS Health Sector Cybersecurity Coordination Center security alert being issued.

Rhysida uses phishing for initial access. The threat actors behind the malware post as a “cybersecurity team” offering to find security flaws in the target’s networks. After obtaining access to the victim network, Rhysida uses Cobalt Strike for lateral movement. The threat actors reportedly used PsExec to deploy PowerShell scripts and the Rhysida payload. To evade detection, Rhysida uses a PowerShell script known as SILENTKILL to terminate antivirus, delete shadow copies, modify RDP configurations, and change the Active Directory password.

The Rhysida ransom note uses a unique approach. Rather than directly demanding a ransom payment, the note appears to be an alert from the Rhysida “cybersecurity team” warning victims that their system has been compromised and their files are encrypted. As a solution, the victim must pay for a “unique key” to use to decrypt the files. 

LockBit Threatens to Leak Cancer Patient Data

Security Affairs reported that LockBit has threatened to leak cancer patient data. LockBit, one of the more infamous ransomware families, was first observed in the wild in 2019. It operates as RaaS. Variants of LockBit targeting both Windows and MacOS are available. The threat actors behind LockBit often use a double extortion model, threatening to leak stolen files if the ransom is not paid within the specified time.

Recently, LockBit was used to target Varian Medical Systems, a company that sells medical devices and software used for cancer treatment. LockBit claimed to have possession of all databases and patient data. They then threatened to leak the data if a ransom is not paid by the August 17th deadline.

IOCs

Rhysida

PolySwarm has multiple samples of Rhysida.

A864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6

6903b00a15eff9b494947896f222bd5b093a63aa1f340815823645fd57bd61de

3bc0340007f3a9831cb35766f2eb42de81d13aeb99b3a8c07dee0bb8b000cb96

You can use the following CLI command to search for all Rhysida samples in our portal:

$ polyswarm link list -f Rhysida

LockBit

PolySwarm has multiple samples of LockBit and actively monitors this ransomware family on an ongoing basis. A selection of LockBit hashes are provided below.

263de9ec171e92d7d0d7cb4a06afa514306676c120f6922094b1cbf6dee6e7a5

73580d4429d357d3ad89cde0cb693a2f418213d252d3f498432e66d18c4af32b

f863f8811389710d3a4b1abbcbf0e4cdf74e01175355bd6a1e79776e0a019ba3

fc8668f6097560f79cea17cd60b868db581e51644b84f5ad71ba85c00f956225

919a9691d87236c45054b865807cf61d941f8bd782379e23226f4980a1d52c45

273735286bf68e08e32a8b377a0d51fcb8c2d19233f3b87828972b2e8957b69f

a1095636d5bd00250811132dc19c31b85173828a0aba3df5591d2aa36192685e

3a886910bd885645fc9a01c54f52e7e58021b9851c947d5974feb4ce49016b9a

1be698390657db396dc9a5f1a63a6b3ecf8868671d5dd5ce221f58cc7ebfadae

d6ace3008d9864f435dd22a73f7e9d06fc325d435decfc13c974f906989213d4

9663e4be23c05b6b5bb6ec51a0c45c8b123f44f9946df0c827b32c2f521bb034

b8b6ce10e4e492204a0d61ebb2ca7652981af754ebd1184b55d3ec79cdc7f102

fd1696047c46c2a05ceac40e6108ddecd05f500d086770615825e2c9c1597497

0bf49cdcb12e48da12cecbcbc857cfbd625a5939e0b1193177ee539d970a2bc2

9f1344b136aa40aacae79ebd471db982e7e844c9b3518c91e582d31ef78c33ed

5020d3321720f84d3e81c7e63ea2f1c2e42c5ccb1fc42693f8ede88b88725efc

4a35bb313509026a8c0a9a868c1b86bcef2c28fbd5d4c821360e8c0a431b5fd4

d4c65c367cb18e206abf2d2837de41be1f60fd10b812c713ce5b4046014b9fd8

773f9b531c8d59a32aad6f7f50e4a22c6e5642d4e70eed0a12390caf66eb8403

535e0dbd97cb9ea66f375400b550dd3bcad0788a89fb46996a651053a2df07c3

You can use the following CLI command to search for all LockBit samples in our portal:

$ polyswarm link list -f Lockbit

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports

 

Topics: Threat Bulletin, Ransomware, LockBit, Healthcare, SILENTKILL, Rhysida

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts