The Week in Ransomware - August 11th 2023 - Targeting Healthcare
While some ransomware operations claim not to target hospitals, one relatively new ransomware gang named Rhysida doesn't seem to care.
Rhysida launched in May 2023, when it quickly started to make a name for itself as it made indiscriminate attacks on hospitals, the enterprise, and even government agencies.
The group first came to notoriety after attacking the Chilean Army (Ejército de Chile) and leaking stolen data.
Now the ransomware gang is making the headlines due to its targeting of healthcare, with the group believed to be behind the attacks on Prospect Medical Group, impacting 17 hospitals and 166 clinics across the United States.
This led to a flurry of reports released by the U.S. Department of Health and Human Services, Trend Micro, Cisco Talos, and Check Point Research.
We also saw additional reports on ransomware about TargetCompany, code leaks impacting the RaaS ecosystem, and a new threat actor using a customized version of Yashma ransomware.
In other news, we continue to see the fallout from Clop's MOVEit data-theft attacks, with Missouri's Department of Social Services warning that data was stolen from IBM's MOVEit server.
Finally, Europol and the U.S. Department of Justice announced the takedown of the LOLEKHosted bulletproof hosting provider, saying that one of the arrested admins facilitated Netwalker ransomware attacks by hosting storage servers for the gang.
Contributors and those who provided new ransomware information and stories this week include: @Seifreed, @struppigel, @Ionut_Ilascu, @serghei, @LawrenceAbrams, @malwrhunterteam, @billtoulas, @demonslay335, @BleepinComputer, @HHSGov, @TrendMicro, @TalosSecurity, @_CPResearch_, @IRS_CI, and @pcrisk.
August 7th 2023
New threat actor targets Bulgaria, China, Vietnam and other countries with customized Yashma ransomware
Talos assesses with high confidence that this threat actor is targeting victims in English-speaking countries, Bulgaria, China and Vietnam, as the actor’s GitHub account, “nguyenvietphat,” has ransomware notes written in these countries’ languages. The presence of an English version could indicate the actor intends to target a wide range of geographic areas.
Code leaks are causing an influx of new ransomware actors
Ransomware gangs are consistently rebranding or merging with other groups, as highlighted in our 2022 Year in Review, or these actors work for multiple ransomware-as-a-service (RaaS) outfits at a time, and new groups are always emerging.
TargetCompany Ransomware Abuses FUD Obfuscator Packers
We found active campaign deployments combining remote access trojan (RAT) Remcos and the TargetCompany ransomware earlier this year. We compared these deployments with previous samples and found that these deployments are implementing fully undetectable (FUD) packers to their binaries. By combining telemetry data and external threat hunting sources, we were able to gather early samples of these in development. Recently, we found a victim on which this technique was deployed and targeted specifically at.
New STOP ransomware variants
PCrisk found new STOP ransomware variants that append the .yyza and .yytw extensions.
New Dharma ransomware variant
PCrisk found a new Dharma variant that appends the .GPT extension.
August 8th 2023
THE RHYSIDA RANSOMWARE: ACTIVITY ANALYSIS AND TIES TO VICE SOCIETY
The Rhysida ransomware group was first revealed in May this year, and since then has been linked to several impactful intrusions, including an attack on the Chilean Army. Recently the group was also tied to an attack against Prospect Medical Holdings, affecting 17 hospitals and 166 clinics across the United States. After this attack, the US Department of Health and Human Services defined Rhysida as a significant threat to the healthcare sector.
What Cisco Talos knows about the Rhysida ransomware
Cisco Talos is aware of the recent advisory published by the U.S. Department of Health and Human Services (HHS) warning the healthcare industry about Rhysida ransomware activity.
New Xorist variant
PCrisk found a new Xorist ransomware variant that appends the .PrOToN extension and drops a ransom note named HOW TO DECRYPT FILES.txt.
August 9th 2023
Missouri warns that health info was stolen in IBM MOVEit data breach
Missouri's Department of Social Services warns that protected Medicaid healthcare information was exposed in a data breach after IBM suffered a MOVEit data theft attack.
Rhysida ransomware behind recent attacks on healthcare
The Rhysida ransomware operation is making a name for itself after a wave of attacks on healthcare organizations has forced government agencies and cybersecurity companies to pay closer attention to its operations.
An Overview of the New Rhysida Ransomware Targeting the Healthcare Sector
On August 4, 2023, the HHS’ Health Sector Cybersecurity Coordination Center (HC3) released a security alert about a relatively new ransomware called Rhysida (detected as Ransom.PS1.RHYSIDA.SM), which has been active since May 2023. In this blog entry, we will provide details on Rhysida, including its targets and what we know about its infection chain.
August 10th 2023
New Harward ransomware
PCrisk found a new ransomware variant that appends the .harward extension.
August 11th 2023
LOLEKHosted admin arrested for aiding Netwalker ransomware gang
Police have taken down the Lolek bulletproof hosting provider, arresting five individuals and seizing servers for allegedly facilitating Netwalker ransomware attacks and other malicious activities.
New MedusaLocker variant
PCrisk found a new ransomware variant that appends the .alock extension.