Posted on by

Rhysida leaks nursing home data and demands $1.5 million from Axis

Rhysida leaks nursing home data and demands .5 million from Axis

Fraud management and cybercrime, healthcare, industry specific

Ransomware gang may have Axis Health’s mental health and substance abuse records

Marianne Kolbasuk McGee (HealthInfoSec) •
October 11, 2024

Axis Health System posted a notice on its website informing patients that it is investigating a recent cyber incident (Image: Axis Health)

The Rhysida ransomware gang is threatening to release data from a Colorado mental health, substance abuse and other healthcare provider on the dark web unless it pays nearly $1.5 million. The group leaks records stolen in an alleged attack on a nursing home in Mississippi.

See also: Gartner Guide to Digital Forensics and Incident Response

Rhysida’s companies include Axis Health System, a nonprofit healthcare organization that provides services ranging from primary care to psychiatric evaluations, mental health crisis management and substance addiction treatment – and Golden Age Nursing Home, which provides short- and long-term nursing and Provides rehabilitation services The list of suspected healthcare victims is growing.

On Friday, Rhysida listed Axis Health on its dark website and threatened to release the medical provider’s data within six days unless 25 Bitcoins – or about $1.48 million – are paid.

A notice was posted on Axis Health’s website stating that the company recently suffered a cyber incident. Axis Health “quickly followed its incident response protocol and took action to stop the activity and investigate the nature and scope of the incident. If it is determined that patient data has been affected, affected individuals will be notified directly via email,” the notice said.

Axis Health also said its primary care patient portal is “currently offline.”

Axis Health did not immediately respond to Information Security Media Group’s request for comment.

Rhysida also claims on its dark website that there was a recent data breach at Golden Age Nursing Home in Mississippi. The gang said it began publishing 102 GB and 35,310 files, including medical records and discharge reports, said to belong to the Golden Age.

Golden Age did not immediately respond to ISMG’s request for comment and had no indication of alleged security incidents on its website as of Friday.

So far this year, Rhysida has claimed numerous other attacks on healthcare facilities, including the Ann & Robert H. Lurie Children’s Hospital in Chicago, Bayhealth in Delaware and the Community Care Alliance in Rhode Island (see: Rhysida claims major data theft from two additional healthcare systems).

Rhysida also took credit for an attack on California hospital chain Prospect Medical last year (see: Prospect Medical faces further legal consequences as a result of the hack in 2023).

As of Friday, the gang listed nearly 105 organizations on its dark website, dating back to around June 2023.

Rhysida, which first emerged around May 2023, was the subject of two assessments from the U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center – one in August 2023 and one in January. Security researchers believe the group is based in Russia or the neighboring Commonwealth of Independent States (see: Authorities warn health sector of attacks by Rhysida Group).

Significant threat

The group has also drawn attention from other federal agencies, including the FBI and CISA, which also issued a joint warning about Rhysida last November.

According to HHS HC3, Rhysida is a portable 64-bit executable cryptographic Windows ransomware application compiled with MINGW/GCC.

The dual extortion gang deploys its malware in a variety of ways, HHS HC3 said. This includes penetrating targets’ networks through phishing attacks, “and by dropping payloads on compromised systems after the initial deployment of Cobalt Strike or similar command-and-control frameworks.”

Other experts agree that Rhysida poses a significant threat to the healthcare sector.

Although Rhysida is not one of the most “prolific” ransomware groups on the scene, the gang has been active continuously since May 2023 and is now considered an established ransomware-as-a-service group, said Jason Baker, senior security consultant at GuidePoint Security.

“Rhysida doesn’t come to the fore because they are the worst offenders in terms of quantity when it comes to health facilities,” he said.

“Rhysida is actually only in seventh place with 4.4% of observed healthcare attacks, well behind LockBit at 14.8%, RansomHub at 10% and Bianlian at 9.1%.”

Because of the sensitivity of the victims they hit, “which consistently includes non-profit organizations, charities and sensitive health organizations that provide life-threatening care,” the group is considered one of the most concerning threat actors, he said.

“The healthcare sector – which is highly regulated and contains sensitive patient records and vulnerable life-saving systems – will continue to be targeted by malicious actors like Rhysida for years to come,” said Scott Weinberg, CEO of security firm Neovera.

“Healthcare providers need to ensure they are up to date on the latest threats and have an ongoing cyber threat management and response program led by an experienced CISO leading their cyber team.”

Meanwhile, Rhysida remains on the watch lists of government agencies including the FBI and CISA, said Sean Deuby, chief technologist at security firm Semperis.

“Disruptions to their operations would be welcomed by both authorities,” he said. “No attack is acceptable, but the ransomware attack on Lurie Children’s Hospital in January is abhorrent as this world-renowned care center treats our most vulnerable young people with cancer,” he said.

“Make no mistake that ransomware gangs attacking hospitals is no coincidence. They are calculated because they assume that a hospital is more likely to pay a ransom when systems fail and patient lives are at risk.”