If there was ever a summer where ransomware has played out like a pastiche of the Hollywood movie industry, 2023 serves as an unwelcome example.
This might sound flippant but there are instructive parallels. As in movies, there are summer releases and at least one or two big hits everyone gets to hear about. The creativity involved in both industries can be impressive while the box office takings involved can sound unearthly to outsiders.
Moviegoers are not victims of course, but ransomware groups are still in a similar competitive race to get their hands on people’s cash.
Judging a ransomware “hit” isn’t easy given the lack of any central statistics, but a standout candidate for that award this summer might be a new ransomware actor dubbed Rhysida.
Having a Clear Focus
In the past it would take months for agencies and vendors to report on new ransomware groups in any detail. Rhysida’s rise has been much more dramatic, going in a few weeks from an unknown to the latest public enemy by August.
Named after the alarmingly large centipede referenced in its encrypted file extensions, Rhysida seems to see almost any sector as fair game, including education, government, manufacturing, technology, and even the Chilean Army.
However, where the group has come into clearest focus is in its attacks on healthcare, with the U.S. Health Sector Cybersecurity Coordination Center putting out a long and quite detailed warning about the group in early August.
As readers will probably be aware, ransomware attacks on healthcare providers have become an ingrained and serious issue across the world this year with no end in sight. Attacks in this sector used to be common, but disruption was kept to a minimum. That is no longer true. Healthcare is now suffering measurable disruption during almost every public incident.
In that context, Rhysida was probably behind a highly disruptive attack targeting 17 hospitals and 166 medical centers run by Prospect Medical Holdings in California. A hospital in Portugal and perhaps another in Australia were soon added to that medical-themed victim list.
Undoubtedly, there will be other victims that aren’t yet known, but one thing is clear: Rhysida is on the warpath and in a hurry to make its name.
The origins of the group—most probably Russia—and its connections in terms of tools, techniques, and procedures to other groups (Check Point suggests the Vice Society ransomware group as a candidate) remain unconfirmed at the moment.
Keeping Ransomware Simple
But perhaps what’s most notable about Rhysida is the simplicity of its tactics. Successful attacks are believed to result from a simple phishing lure after which tools such as Cobalt Strike and PsExec are used for lateral movement and to deploy the ransomware payload.
The only unusual behavior is that the ransom note is cheekily couched in the form of an offer for the Rhysida “cybersecurity team” to help the victim recover their files, for a fee of course.
What’s striking is how easy Rhysida’s rise has been, and how easily it has located victims without having to work terribly hard. This is how new ransomware groups often achieve notoriety; the devil keeps taking the hindmost because there are plenty to choose from.
It’s where any parallel with the movie business stops. Making movies is hard work and failure is more common than success. Not so in ransomware in 2023. This is an industry that keeps on turning out blockbusters that we all end up paying for in so many ways.