HC3 Gives Warning About the Rhysida Ransomware Group and the Increasing Data Breaches for M&As

The HHS Health Sector Cybersecurity Coordination Center (HC3) has released a security advisory regarding a new ransomware group called Rhysida, which is carrying out high-impact attacks in several industries. Attacks were carried out in Australia, Western Europe, North, and South America, and with Italy, the United States, the United Kingdom, and Spain suffering the most ransomware attacks. The main targets seem to be in the government, education, technology, and manufacturing industries, however, the group has carried out a number of ransomware attacks on the healthcare and public health (HPH) segment.

Rhysida is a ransomware-as-a-service group that gets affiliates to perform attacks utilizing its ransomware variant. The affiliate gets a percentage of the generated ransom payments. The group was initially discovered in May 2023. Its ransomware variant seems to be in the beginning phases of development as it does not have the sophisticated capabilities observed in the ransomware variants employed by more renowned threat groups.

Rhysida ransomware is downloaded after getting preliminary access to victims’ systems via phishing attacks and vulnerability exploitation of the software. The Cobalt Strike attack system is used on breached systems and employed to install the ransomware payload. The ransomware employs a 4096-bit RSA key along with the ChaCha20 algorithm for file encryption. A PDF ransom note is slipped into the encrypted drives, which requires Bitcoin payment in exchange for the data decryption keys and stop the exposure of the stolen information. There is no mention of the ransom amount in the notes. Victims needed to contact the ransomware group using TOR to make a deal on payment. Rhysida was responsible for the attack on the Chilean Army and has 8 attacks posted on its data leak website at this point, and publicized stolen information from five attacks.

Security researchers have not confirmed if there’s a link between other ransomware or cybercriminal groups and the Rhysida ransomware-as-a-service operation. But a number of security researchers think there could be a connection with the Vice Society group, which likewise mainly attacks the Education field. HC3 has released Indicators of Compromise (IoCs) in the advisory to enable network defenders to identify attacks and a few proactive actions for healthcare providers to strengthen their security and stop attacks.

Healthcare Data Breach Risk Increases Two-fold in 2-Year Window Around M&As

Based on new research by Ph.D. candidate Nan Clement of the University of Texas at Dallas, the risk of a data breach occurring at hospitals increases two-fold a year before and after mergers and acquisitions (M&As).

Clement reviewed data breach information from the HHS’ Office for Civil Rights (OCR) for the years 2010 to 2022 and compared the documented data breaches to M&A information in about the same time period and determined that the likelihood of a data breach was 3% for hospitals that merged during the assessed time period. However, the risk increased twofold to 6% for merger targets, sellers, and buyers in two years, inclusive of a year before and after the merger was made. Clement likewise determined that occurrences of hacking and insider breaches went up after announcing a hospital merger or purchase. Google Trends information also revealed a rise in queries for the name of the target hospital right after the announcement, and a link was seen to the hacking activity.

Ransomware attacks and hacking during this sensitive time were discovered to happen more often throughout the two-year window of M&As. During this sensitive period, cybercriminals may sense the higher chances that ransom demands are going to be paid, and there could be a rise in vulnerabilities that could be taken advantage of as a result of incompatibilities among two hospitals’ data systems and vulnerabilities and errors by staff can quickly be taken advantage of by cybercriminals. The FBI formerly released an alert to organizations that hackers, and particularly ransomware groups, usually employ important financial occasions like M&As to attack companies, since it provides them with more control. Clement additionally discovered a rise in insider misconduct during the two-year time period around M&As.

Based on the newly released IBM Security report entitled “Cost of a Data Breach Study,” healthcare data breaches currently spend more or less $11 million per data breach – higher than data breaches in any other industry and the HHS’ Office for Civil Rights breach site data indicates there is a big upsurge in hacking cases in the last couple of years. Considering the substantial cost of data breaches, it is important for hospital administrators, cybersecurity specialists, and health, security, and finance experts to come together to improve cybersecurity steps in hospitals, advises Clement in the paper. Clement discovered that mergers involved with publicly exchanged hospitals frequently encounter a reduction in data breaches throughout mergers. “Hospital managers ought to think about taking on the risk management processes generally used by professional investors and openly traded private hospitals. This integration of risk management practices can result in better overall organizational capital for safeguarding the hospitals.

During the 22nd Workshop on the Economics of Information Security in Geneva last month, the results from the peer-analyzed paper, M&A Effect on Data Breaches in Hospitals: 2010-2022, were discussed.