Fraud Management & Cybercrime , Healthcare , Industry Specific
Rhysida Leaks Nursing Home Data, Demands $1.5M From Axis
Ransomware Gang Could Have Axis Health's Mental Health, Drug Abuse RecordsRansomware gang Rhysida is threatening to dump data on the darkweb that belongs to a Colorado provider of mental health, substance abuse and other healthcare services unless it pays nearly $1.5 million. The group is leaking records stolen in an alleged attack on a Mississippi nursing home.
See Also: How Overreliance on EDR is Failing Healthcare Providers
Axis Health System, a nonprofit healthcare organization that provides services ranging from primary care to psychiatric assessments, mental health crisis management and drug addiction treatment - and Golden Age Nursing Home, which offers short- and long-term nursing and rehabilitative services - are among Rhysida's growing list of alleged healthcare sector victims.
As of Friday, Rhysida listed Axis Health on its dark web site, threatening to publish the medical care provider's data within six days, unless 25 bitcoins - or about $1.48 million - is paid.
Posted on Axis Health website is a notice stating the entity suffered a recent cyber incident. Axis Health "quickly followed its incident response protocol and took steps to stop the activity and investigate the nature and scope of the incident. If it is determined that patient data was impacted, affected individuals will be notified directly by mail," the notice said.
Axis Health also said its primary care patient portal "is currently offline."
Axis Health did not immediately respond to Information Security Media Group's request for comment.
Rhysida on its dark web site also claims a recent data heist from Golden Age Nursing Home in Mississippi. The gang said it has begun publishing 102 Gbytes and 35,310 files, including medical records and discharge reports - allegedly belonging to Golden Age.
Golden Age did not immediately respond to ISMG's request for comment and as of Friday, did not yet have a notice on its website about any alleged security incidents.
So far this year, Rhysida has claimed numerous other attacks on healthcare entities, including Ann & Robert H. Lurie Children's Hospital of Chicago, Bayhealth in Delaware, and Community Care Alliance in Rhode Island (see: Rhysida Claims Major Data Thefts From 2 More Health Systems).
Rhysida also took credit for an attack last year on California hospital chain Prospect Medical (see: Prospect Medical Facing More Legal Fallout From 2023 Hack).
As of Friday, the gang listed nearly 105 organizations on its dark web site dating back to about June 2023.
Rhysida, which first surfaced around May 2023, has been the subject of two advisories from the U.S. Department of Health and Human Services' Health Sector Cybersecurity Coordination Center - one in August 2023 and another in January. Security researchers believe the group is located in Russia or in the neighboring Commonwealth of Independent States (see: Authorities Warn Health Sector of Attacks by Rhysida Group).
Considerable Threat
The group has also gotten attention from other federal agencies, including the FBI and CISA, which also issued a joint alert about Rhysida last November.
Rhysida is a 64-bit portable executable Windows cryptographic ransomware application compiled using MINGW/GCC, said HHS HC3.
The double extortion gang deploys its malware in multiple ways, HHS HC3 said. That includes breaching targets’ networks via phishing attacks, "and by dropping payloads across compromised systems after first deploying Cobalt Strike or similar command-and-control frameworks."
Other experts agree that Rhysida poses a considerable threat to the healthcare sector.
While Rhysida is not the most “prolific” ransomware groups on the scene, the gang has operated continuously since May 2023, and is now considered an established ransomware-as-a-service group, said Jason Baker, principal security consultant at GuidePoint Security.
"Rhysida comes to the front not because they are the worst offenders by volume when impacting healthcare entities," he said.
"Rhysida is actually a distant seventh, accounting for 4.4% of observed healthcare attacks, far behind LockBit at 14.8%, RansomHub at 10% and BianLian at 9.1%.
Because of the sensitivity of the victims they hit, "which has time and again shown to include nonprofits, charities and sensitive healthcare organizations that provide life-or-death care," the group is considered among the most concerning threats actors, he said.
"The healthcare sector - which is highly regulated and contains sensitive patient records and vulnerable lifesaving systems - will continue to be under attack by bad actors such as Rhysida for years to come," said Scott Weinberg, CEO of security firm Neovera.
"Healthcare providers must ensure they are up to date with the latest threats and have a continuous cyberthreat management and response program in place, spearheaded by an experienced CISO to manage their cyber team."
In the meantime, Rhysida continues to be on the watch lists of government authorities, including the FBI and CISA, said Sean Deuby, principal technologist at security firm Semperis.
"Disruptions to their operations would be welcomed by both agencies," he said. "No attack is acceptable, but the January ransomware attack on Lurie Children’s Hospital is disgusting, as that world renowned care center is treating our most vulnerable young people with cancer," he said.
"Make no mistake that when ransomware gangs attack hospitals, it isn’t by chance. It is calculated because they expect a hospital to be more likely to pay a ransom if systems go down and patient lives are at risk."