Rewterz Threat Update – London’s Premier Hospital in Crisis: The Rhysida Ransomware Breach

Severity

High

Analysis Summary

King Edward VII’s Hospital, a prestigious private healthcare institution in London, has fallen victim to the Rhysida ransomware group, marking another high-profile cyberattack in the healthcare sector. The group claims to have successfully hacked the hospital, providing evidence on its Tor leak site by publishing images of stolen documents, including medical reports, x-rays, registration forms, and more.

Notably, the Rhysida ransomware operators assert that they have accessed data from a substantial number of patients and employees, including information related to the Royal Family. The group is offering this trove of sensitive data for auction, seeking 10 BTC for the entire dataset. Following their usual modus operandi, the ransomware group plans to sell the stolen data to a single buyer and will publicly release the information over a seven-day period if not sold.

The Rhysida ransomware gang has been active since May 2023, targeting at least 62 companies across various sectors, including education, healthcare, manufacturing, information technology, and government. The group’s attacks are categorized as “targets of opportunity.”

Recently, the British Library and China Energy Engineering Corporation were added to the list of Rhysida ransomware victims. In response to the escalating threat, the FBI and CISA issued a joint Cybersecurity Advisory as part of the ongoing effort. The advisory warns organizations about Rhysida ransomware attacks and provides details on tactics, techniques, and procedures (TTPs) along with indicators of compromise (IOCs) associated with the group. The report, covering investigations as recent as September 2023, highlights the actors’ focus on targets of opportunity and their utilization of ransomware-as-a-service (RaaS) models.

Rhysida actors employ external-facing remote services such as VPNs and RDPs for initial network access, maintaining persistence through compromised credentials. The group has exploited vulnerabilities like Zerologon (CVE-2020-1472) in Microsoft’s Netlogon Remote Protocol during phishing attempts. Living off-the-land techniques, and utilizing built-in network administration tools, contribute to the malicious operations of the Rhysida ransomware group. This incident underscores the critical need for enhanced cybersecurity measures, especially in the healthcare sector, to safeguard patient data and sensitive information from ransomware threats.

Impact

• Unauthorized Access
• Data Loss
• Financial Loss

Remediation

• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• It is important for organizations to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.