While some ransomware operations claim not to target hospitals, one relatively new ransomware gang named Rhysida doesn’t seem to care.
Rhysida launched in May 2023, when it quickly started to make a name for itself as it made indiscriminate attacks on hospitals, the enterprise, and even government agencies.
The group first came to notoriety after attacking the Chilean Army (Ejército de Chile) and leaking stolen data.
Now the ransomware gang is making the headlines due to its targeting of healthcare, with the group believed to be behind the attacks on Prospect Medical Group, impacting 17 hospitals and 166 clinics across the United States.
In other news, we continue to see the fallout from Clop’s MOVEit data-theft attacks, with Missouri’s Department of Social Services warning that data was stolen from IBM’s MOVEit server.
Finally, Europol and the U.S. Department of Justice announced the takedown of the LOLEKHosted bulletproof hosting provider, saying that one of the arrested admins facilitated Netwalker ransomware attacks by hosting storage servers for the gang.
Contributors and those who provided new ransomware information and stories this week include: @Seifreed, @struppigel, @Ionut_Ilascu, @serghei, @LawrenceAbrams, @malwrhunterteam, @billtoulas, @demonslay335, @BleepinComputer, @HHSGov, @TrendMicro, @TalosSecurity, @_CPResearch_, @IRS_CI, and @pcrisk.
August 7th 2023
New threat actor targets Bulgaria, China, Vietnam and other countries with customized Yashma ransomware
Talos assesses with high confidence that this threat actor is targeting victims in English-speaking countries, Bulgaria, China and Vietnam, as the actor’s GitHub account, “nguyenvietphat,” has ransomware notes written in these countries’ languages. The presence of an English version could indicate the actor intends to target a wide range of geographic areas.
Ransomware gangs are consistently rebranding or merging with other groups, as highlighted in our 2022 Year in Review, or these actors work for multiple ransomware-as-a-service (RaaS) outfits at a time, and new groups are always emerging.
We found active campaign deployments combining remote access trojan (RAT) Remcos and the TargetCompany ransomware earlier this year. We compared these deployments with previous samples and found that these deployments are implementing fully undetectable (FUD) packers to their binaries. By combining telemetry data and external threat hunting sources, we were able to gather early samples of these in development. Recently, we found a victim on which this technique was deployed and targeted specifically at.
PCrisk found new STOP ransomware variants that append the .yyza and .yytw extensions.
PCrisk found a new Dharma variant that appends the .GPT extension.
August 8th 2023
The Rhysida ransomware group was first revealed in May this year, and since then has been linked to several impactful intrusions, including an attack on the Chilean Army. Recently the group was also tied to an attack against Prospect Medical Holdings, affecting 17 hospitals and 166 clinics across the United States. After this attack, the US Department of Health and Human Services defined Rhysida as a significant threat to the healthcare sector.
Cisco Talos is aware of the recent advisory published by the U.S. Department of Health and Human Services (HHS) warning the healthcare industry about Rhysida ransomware activity.
PCrisk found a new Xorist ransomware variant that appends the .PrOToN extension and drops a ransom note named HOW TO DECRYPT FILES.txt.
August 9th 2023
Missouri’s Department of Social Services warns that protected Medicaid healthcare information was exposed in a data breach after IBM suffered a MOVEit data theft attack.
The Rhysida ransomware operation is making a name for itself after a wave of attacks on healthcare organizations has forced government agencies and cybersecurity companies to pay closer attention to its operations.
On August 4, 2023, the HHS’ Health Sector Cybersecurity Coordination Center (HC3) released a security alert about a relatively new ransomware called Rhysida (detected as Ransom.PS1.RHYSIDA.SM), which has been active since May 2023. In this blog entry, we will provide details on Rhysida, including its targets and what we know about its infection chain.
August 10th 2023
PCrisk found a new ransomware variant that appends the .harward extension.
August 11th 2023
Police have taken down the Lolek bulletproof hosting provider, arresting five individuals and seizing servers for allegedly facilitating Netwalker ransomware attacks and other malicious activities.
PCrisk found a new ransomware variant that appends the .alock extension.