Week in Ransomware – August 11, 2023 – Targeting Healthcare

While some ransomware operations claim not to target hospitals, one relatively new ransomware gang called Rhysida doesn’t seem to care.

Rhysida was launched in May 2023, when it quickly rose to prominence for carrying out indiscriminate attacks on hospitals, corporations and even government agencies.

The group first rose to prominence after attacking the Chilean Army (Ejército de Chile) and leaking stolen data.

Now the ransomware gang is making headlines for targeting healthcare, with the group believed to be behind the attack on Prospect Medical Group, impacting 17 hospitals and 166 clinics across the United States.

This led to a slew of reports issued by the US Department of Health and Human Services, Trend Micro, Cisco Talos, and Check Point Research.

We’re also seeing additional ransomware reports about TargetCompany, code leaks impacting the RaaS ecosystem, and new threat actors using customized versions of the Yashma ransomware.

In other news, we continue to see the fallout from the MOVEit Clop data theft attack, with the Missouri Department of Social Services warning that data has been stolen from IBM’s MOVEit servers.

Finally, Europol and the US Department of Justice announced the takedown of bulletproof hosting provider LOLEKHosted, saying that one of the admins arrested facilitated the Netwalker ransomware attack by hosting storage servers for the gang.

Contributors and those who provided this week’s new ransomware stories and information include: @Seifreed, @shaggygel, @Ionut_Ilascu, @sergei, @LawrenceAbrams, @malwrhunterteam, @billtoulas, @demonlay335, @BleepinComputer, @HHSGov, @TrendMicro, @TalosSecurity, @_CPResearch_, @IRS_CIAnd @pcrisk.

August 7, 2023

New threat actors target Bulgaria, China, Vietnam and other countries with customized Yashma ransomware

Talos assesses with high confidence that this threat actor is targeting victims in English-speaking countries, Bulgaria, China, and Vietnam, because the perpetrator’s GitHub account, “nguyenvietphat,” has ransomware records written in the languages of these countries. The presence of an English version may indicate that the actor intends to target different geographic areas.

Code leaks lead to an influx of new ransomware actors

Ransomware gangs are consistently rebranding or joining other groups, as highlighted in our 2022 Review, or these actors work for multiple ransomware-as-a-service (RaaS) outfits at once, and new groups are always popping up.

TargetCompany Ransomware Abuses FUD Obfuscator Packers

We discovered the implementation of an active campaign combining the Remcos remote access trojan (RAT) and the TargetCompany ransomware earlier this year. We compared this implementation to a previous sample and found that it applies a completely undetectable packer (FUD) to its binaries. By combining telemetry data and external threat hunting sources, we were able to collect an early sample of these in development. Recently, we found victims where this technique was used and specifically targeted.

New STOP ransomware variant

PC risk found a new STOP ransomware variant that added .yyza And yyt extension.

New Dharma ransomware variant

PCrisk discovered a new Dharma variant that adds .GPT extension.

August 8, 2023

Ransomware RHYSIDA: ANALYSIS OF ACTIVITIES AND RELATIONSHIPS WITH COMMUNITY REPRESENTATIVES

The Rhysida ransomware group was first exposed in May this year, and since then has been linked to several impactful intrusions, including an attack on the Chilean Army. More recently the group was also linked to the attack on Prospect Medical Holdings, which affected 17 hospitals and 166 clinics across the United States. Following this attack, the US Department of Health and Human Services defined Rhysida as a significant threat to the health sector.

What Cisco Talos knows about the Rhysida ransomware

Cisco Talos is aware of a recent advisory issued by the US Department of Health and Human Services (HHS) warning the healthcare industry about Rhysida ransomware activity.

New Xorist variant

PCrisk discovered a new variant of the Xorist ransomware adding .Proton extension and dropping the named ransom note HOW TO DECRYPTION FILE.txt.

August 9, 2023

Missouri warns that health info was stolen in the IBM MOVEit data breach

The Missouri Department of Social Services warns that protected Medicaid healthcare information was exposed in a data breach after IBM suffered a MOVEit data theft attack.

The Rhysida ransomware behind the recent attacks on healthcare

The Rhysida ransomware operation rose to prominence after a wave of attacks on healthcare organizations forced government agencies and cybersecurity firms to pay more attention to its operations.

Overview of the New Rhysida Ransomware Targeting the Healthcare Sector

On August 4, 2023, the HHS Health Sector Cyber Security Coordination Center (HC3) released a security alert about a relatively new ransomware named Rhysida (detected as Ransom.PS1.RHYSIDA.SM), which has been active since May 2023. In this blog entry, we will provide details about Rhysida, including its targets and what we know about its chain of infection.

August 10, 2023

New Harward Ransomware

PCrisk found a new ransomware variant added .harvard extension.

August 11, 2023

LOLEKHosted admin arrested for helping Netwalker ransomware gang

Police have brought down bulletproof hosting provider Lolek, arrested five people and seized servers for allegedly facilitating the Netwalker ransomware attack and other malicious activity.