Skip to content

Rhysida claims Bayhealth Hospital breach

  • Health

Known for phishing attacks and the exploitation of legitimate cybersecurity tools, Rhysida claimed to have hit Bayhealth Medical Center, which serves central and southern Delaware.

WHY IT MATTERS

Showcasing screenshots of stolen passports and ID cards as proof, the Rhysida Ransomware group gave nonprofit Bayhealth Hospital one week to pay the ransom and avoid the leak, according to a report Thursday in Security Affairs.

“With just 7 days on the clock, seize the opportunity to bid on exclusive, unique and impressive data,” Rhysida announced on its Tor leak site Wednesday.

“Open your wallets and be ready to buy exclusive data. We sell only to one hand, no reselling, you will be the only owner!”

We have contacted Bayhealth and will update the story if a statement is provided.

THE LARGER TREND

While the group lacks overt affiliations with other ransomware groups, it avoids targeting former Soviet Republic or bloc countries and Central Asia’s Commonwealth of Independent States, according to an August 2023 warning from the Health Sector Cybersecurity Coordination Center.

HC3 said in the alert that in addition to social engineering attacks, the group exploits known vulnerabilities in software across compromised systems after first deploying Cobalt Strike or other frameworks, similar to Black Basta. The PDF notes the group leaves behind are written as if to provide a customer service experience.

Rhysida also claimed the ransomware attack on Prospect Medical Holdings of Los Angeles, disrupting care at hospitals and medical centers in Connecticut and in several other states that month.

Then in November, the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency issued a joint cybersecurity advisory indicating the group leases tools through a profit-sharing model.

ON THE RECORD

“Rhysida actors reportedly engage in ‘double extortion’ [T1657] – demanding a ransom payment to decrypt victim data and threatening to publish the sensitive exfiltrated data unless the ransom is paid,” the FBI and CISA said in their advisory.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

The HIMSS Healthcare Cybersecurity Forum is scheduled to take place October 31-November 1 in Washington, D.C. Learn more and register.

Leave a Reply

Your email address will not be published. Required fields are marked *