Prospect Medical hospitals still recovering from ransomware attack

The 16 hospitals run by Prospect Medical Holdings are still recovering from a ransomware attack announced last Thursday that caused severe outages at facilities in four states.

Several of the hospitals were forced to divert ambulances to other healthcare facilities, cancel appointments and close smaller clinics while the parent company dealt with the attack.

Waterbury Hospital in Connecticut wrote on Facebook Tuesday that its computer systems “continue to be down throughout the network due to a data security incident.” The hospital has been forced to use paper records while treating patients and they have had to cancel outpatient services like diagnostic imaging and blood draws.

On its website, Prospect Medical said all facilities continue to experience a systemwide outage.

A spokesperson for the hospital said the ransomware attack began on Thursday but they did not know when it would be resolved.

“We are working to resolve the issue as soon as possible and regret any inconvenience,” they said. All of the hospitals controlled by Prospect Medical carry the same alert on their websites about the incident.

The incident has drawn national headlines due to how widespread it is, covering healthcare facilities in multiple states. The company has facilities in California, Rhode Island, Connecticut and Pennsylvania.

Mark Green (R-TN), the chairman of the House Committee on Homeland Security, told Recorded Future News in a statement that the attacks are “extremely concerning.”

“Attacks on our critical infrastructure, particularly our health infrastructure, are unacceptable,” he said. “We urge impacted entities to work closely with the FBI, CISA [Cybersecurity and Infrastructure Security Agency], and other appropriate Federal agencies to facilitate the incident response and bring these hospitals back online.”

Rhysida to blame

Several sources told Recorded Future News that the Rhysida ransomware group was behind the attack. While the FBI and the U.S. Department of Health and Human Services (HHS) declined to comment on the perpetrators, HHS published a warning to all hospitals on Friday about Rhysida, noting that it was a relatively new ransomware-as-a-service (RaaS) group that emerged in May.

The HHS report notes that Rhysida is “still in early stages of development, as indicated by the lack of advanced features and the program name Rhysida-0.1.”

“Its victims are distributed throughout several countries across Western Europe, North and South America, and Australia,” HHS explained. “They primarily attack education, government, manufacturing, and technology and managed service provider sectors; however, there has been recent attacks against the Healthcare and Public Health (HPH) sector.”

Little is known about the group and where the actors behind it are based.Their name is a reference to a kind of centipede. The group typically breaches victim networks through phishing attacks, with the ransom notes delivered as PDF documents threatening victims with the leak of data if payment is not received.

HHS and several experts noted that the group’s attack on the Chilean government was devastating for the country and signaled that, like many other ransomware gangs, Rhysida appears to not target former Soviet Republic or bloc countries in Eastern Europe and Central Asia’s Commonwealth of Independent States.

The group also previously launched a devastating attack on the island of Martinique, crippling the government there.

Rhysida has so far added eight victims to its dark web leak site and has published data stolen from five of them.

Cybersecurity experts and HHS added that there are clues indicating Rhysida may have ties to the Vice Society ransomware group. While some believe these are tenuous, HHS said the mutual targets signaled that there was a link.

“In terms of commonalities, both groups mainly target the education sector. 38.4% of Vice Society’s attacks targeted the education sector, compared to 30% of Rhysida’s. Of note, Vice Society mainly targets both educational and healthcare institutions, preferring to attack small-to-medium organizations,” HHS said.

“If there is indeed a linkage between both groups, then it is only a matter of time before Rhysida could begin to look at the healthcare sector as a viable target. In only a short time, Rhysida has proven itself to be a significant threat to organizations worldwide.”

HHS said some cybersecurity experts “advise that the healthcare industry acknowledge the ubiquitous threat of cyberwar against them” and recommend a range of measures that include multi-factor authentication, routine patching and staff education about phishing threats.

HHS also provides free vulnerability scanning to all hospitals if they need it.

In addition to the attack on Prospect Medical, the gang is accused of attacking a major hospital in Portugal this week as well.

Sergey Shykevich, threat intelligence group manager at Check Point Research, said in the past four weeks alone, on average one in 29 healthcare organizations in the U.S. have been impacted by ransomware.

“With its massive attack surface and trove of personal health data, the healthcare industry is a shiny and lucrative target for cyber criminals. We're all seeing the impacts as hospitals must shut down emergency rooms, re-route ambulances and resort to pen and paper for medical records,” he said.

“On the technical side, we see continuation of the trend when ransomware groups frequently rebrand and change the encryption payload they use. In this specific case, we see that most likely the notorious Vice Society group that targeted mostly Education and Healthcare, reappeared now as Rhysida – and targets the same sectors.”