On August 4th, 2023, the parent company of Eastern Connecticut Health Network and Waterbury Health, Prospect Medical Holdings(PMH), announced that all of its facilities were facing IT complications. Prospect Medical Holdings is a parent company to over 16 hospitals, 165 outpatient clinics, in over 4 states ( California, Connecticut, Pennsylvania, Rhode Island) It was later speculated, by a trusted H-ISAC internal source, that the ransomware group responsible was Rhysida ransomware. HHS/HC3 had also published a Sector Alert on the ransomware group which includes Indicators of Compromise(IOCs). The ransomware group previously had focused on targeting the education, government, manufacturing, technology, and managed services sectors, now Rhysida appears to shift onto targets to better facilitate it’s double extortion attacks. With the healthcare sector growing as a popular target among ransomware groups due to its perceived vulnerability to compromise and extortion, it is understandable that the group had begun to focus on healthcare.
Check Point researchers recently examined a Rhysida ransomware incident against an educational institution and discovered a set of unique tactics, techniques, and procedures (TTP) that were similar to those of Vice Society. This revealed a technical similarity between the two groups. According to Check Point researchers, the ransomware Group, Vice Society, was observed to slow in activity while the Rhysida ransomware group had increased in their activity, all the while having a similar and overlapping victimology. Shared amongst some researchers, it is said Rhysida is a rebranding of Vice Society ransomware. However, it is not the first time newly created ransomware groups have leveraged preexisting architecture and toolsets from other ransomware groups. TrendMicro researchers have also published a report breaking down the Rhysida ransomware group activities as well.
While many threat intelligence researchers have broken down the group’s TTPs, it should be stated that the majority of ransomware groups have still been found to still heavily utilize phishing campaigns for initial access. However, in a report published by Akamai researchers, the security firm had noticed in increase in exploiting 0day and 1day. This can be seen with the most recent Clop Ransomware activity and while most enterprise corporations have a robust vulnerability management patching schedule, exploitation of 0day and 1day vulnerabilities are very difficult to mitigate against.
RSM Defense Analyst Notes: RSM Defense Intelligence analyst recommends security awareness trainings for employees to mitigate potential phishing campaigns, enabling of multifactor authentication, following least privilege access best practices for employees and contractor personnel, removing dormant accounts from networks, the use of 24×7 network activity monitoring and installation of security tools that can alert/ detect within networked environments of potentially malicious activity. It is also recommended organizations leverage various alerting and detection security toolsets that are able to ingest the indicators of compromise (IOCs) which are provided from HC3, however a more flexible solution such as machine learning and artificial intelligence solutions may need explored for a more robust network security defense. It should be stated, as some ransomware groups transition into 0day and 1day vulnerability exploitations, in addition to a 24×7 Security Operations Center monitoring network activity, additional Cyber Threat Intelligence and vulnerability risk management solutions are also recommended in order to react to the ever-changing cyber threat landscape.