Rhysida ransomware is a fast-growing cyber threat. First appearing in May 2023, it’s recently been involved in multiple high-profile cyberattacks. One of the latest was an attack on London’s King Edward VII Hospital, which stores medical records for the British Royal Family. While it’s still unknown which exact records have been impacted, the hacker claimed the Royal Family’s healthcare data was included. They’re ransoming the records for $380K USD in Bitcoin.
Cybersecurity experts don’t often recommend paying a ransom since there is no guarantee that the attacker will release the data when paid. However, due to the potential impact on the Royal family and other patients, many expect them to pay it. Due to how cryptocurrency works, bitcoin transactions are publicly viewable, but the identity behind them can be hard to uncover. That makes it a popular payment form for ransomware attacks.
Table of Contents
How Rhysida Ransomware Attacks Work
Rhysida ransomware attacks begin when hackers access systems, often by exploiting weak spots in remote access services or tricking users with deceptive emails. Once inside, they use common system tools to spread the malware and avoid detection. The ransomware locks files with strong encryption, making them inaccessible, and renames them with a “.rhysida” extension.
The reason Rhysida ransomware is effective is due to how it stays under the radar. It uses a ‘living off the land’ approach, which involves it using common commands and software to carry out its activities. Since its actions are designed to appear like normal computer behavior, it’s harder for security systems to detect. It can also move across networks, meaning all it takes is for a mistake by one person to spread it to everyone else on the network.
Once infected with this ransomware, victims are pressured to pay a ransom to regain access to their files and to prevent their private information from being publicly shared. The attackers leave a digital note with instructions on paying the ransom using a secure internet connection.
Industries Targeted by Rhysida Ransomware
Nearly 73% of organizations have been affected by ransomware in some way, whether directly or indirectly. It’s continued to grow over the past decade, representing a concerning trend as more people are impacted by it. Rhysida hasn’t been involved in too many headline attacks as relatively new ransomware, but it’s seen increased usage over the past few months. Between May and December 2023, only a handful of industries have been targeted so far.
Schools and Universities: These institutions are attacked for their trove of personal data and research information. Additionally, some educational institutions cut corners on funding cybersecurity, making them easier targets.
Production Facilities: Manufacturing companies are often targeted due to the critical nature of their operations. Disruptions caused by ransomware can lead to significant financial losses and operational chaos, increasing the likelihood of ransom payments.
Hospitals and Health Service Providers: The healthcare sector is particularly vulnerable due to the critical nature of its services. Disruption in healthcare services can have life-threatening consequences, making these institutions more likely to pay a ransom to restore their systems quickly.
Local and National Agencies: Government agencies are hit for the sensitive and confidential information they hold. A successful ransomware attack can provide financial gain for attackers, potentially disrupt public services, and extract sensitive state information.
IT and Tech Service Providers: These companies are high-value targets due to their access to a wide range of client networks and data. Compromising one of these providers can lead to a cascade of breaches across multiple companies.
The education and manufacturing sectors were the main two targets early on, but in recent months, that has expanded to include other areas. The effectiveness of Rysida so far is likely what emboldened the hackers to start targeting healthcare providers.
Not Even the Royal Family Is Immune to Cyberattacks
The recent Rhysida ransomware attack that targeted the Royal Family’s medical records shows that even the most guarded family in Britain can be at risk. Since most healthcare data is stored digitally in some form, it can be difficult to protect it from every type of attack. One UK news outlet reported the Royal Family’s data was likely kept separate, though that hasn’t been confirmed or denied yet. The incident is under investigation by the National Cyber Security Centre (NCSC) and the local police.
Ways To Protect Yourself Against Rhysida Ransomware
The Rhysida ransomware represents a significant threat to security, requiring a proactive and layered approach. Below are key tactics recommended by the Health Sector Cybersecurity Coordination Center (HC3) to help prevent ransomware attacks like Rhysida:
Virtual Patching:
Rhysida targets known software vulnerabilities. Employing virtual patching is a swift response to shield systems against such vulnerabilities, particularly when conventional patches are unavailable or delayed due to testing protocols. This method acts as an immediate buffer, enhancing security in critical times.
Phishing Awareness:
With Rhysida often infiltrating systems via phishing, educating employees about these deceptive tactics is vital. Regular, interactive training sessions can significantly heighten staff vigilance, enabling them to identify and sidestep phishing traps adeptly.
Endpoint Security Solutions:
Endpoint security tools are crucial in preempting ransomware attacks. They monitor all network entry points, detecting and neutralizing malicious software. Additionally, these solutions offer functionalities to isolate or purge compromised data remotely, preventing the spread of ransomware.
Immutable Backup Systems:
Implementing immutable backups creates a fail-safe against ransomware attacks. Since they’re immune to alteration or deletion, they counter many ransomware threats. That being said, stolen data can still be sold or leaked elsewhere. These backups only guarantee the organization doesn’t lose access to the data.
Network Segmentation:
Dividing the network into isolated segments can significantly limit ransomware effectiveness. In the event of a breach in one segment, this prevents the spread to other parts of the network, safeguarding critical data and systems.
Advanced Firewalls and Threat Detection:
Integrating firewalls and threat detection systems adds a robust layer of defense. These technologies are adept at identifying and blocking anomalous activities, potentially thwarting attacks before they inflict substantial harm.
Incident Response Planning:
A well-structured incident response plan is a guideline to swiftly and effectively handle ransomware attacks. This plan minimizes operational disruptions and mitigates damage, ensuring a coordinated and efficient response to cyber threats.
Limit User Permissions to What They Need:
Limiting user and application access rights to the bare minimum is a simple yet effective tactic. This approach restricts ransomware’s ability to encrypt or spread across the network, acting as a barrier to unauthorized access and activities.
These strategies play a role in creating a flexible defense system against Rhysida ransomware, turning reactive measures into proactive shields. By integrating these tactics, organizations can stay one step ahead of such dangerous threats.
Future Trends in Ransomware: Learning from Rhysida
The recent attack on the Royal Family’s medical records by Rhysida ransomware marks another shift in cybercrime tactics. Not only are they encouraged to attack high-profile targets, but the ransomware itself is becoming increasingly difficult to detect as it works in the background. Ransomware damages are projected to reach 265 billion USD by 2031, an 814x increase from as recently as 2015.
As ransomware becomes more advanced, using technologies like artificial intelligence for tailored, stealthier attacks is also likely. This progression emphasizes the importance of proactive cybersecurity strategies, including regular updates and training. This Rhysida ransomware case serves as a crucial reminder that no matter the individual, family, or organization, anyone can be the target of a cyberattack.
The best defense against ransomware is proactive cybersecurity. If your business needs IT security help, reach out for a consultation via our contact form or call us at +1 (800) 297-8293.
