Bayhealth Hospital Hit by Rhysida Ransomware: Data Compromised
Incident Date:
August 7, 2024
Overview
Title
Bayhealth Hospital Hit by Rhysida Ransomware: Data Compromised
Victim
Bayhealth Hospital
Attacker
Rhysida
Location
First Reported
August 7, 2024
Ransomware Attack on Bayhealth Hospital by Rhysida Group
Bayhealth Medical Center, a prominent healthcare provider in Delaware, has fallen victim to a ransomware attack orchestrated by the Rhysida ransomware group. The attack, detected on July 31, 2024, has compromised sensitive data, including Social Security Numbers and passports, with the attackers demanding a ransom of 25 Bitcoin (approximately $1.4 million) to prevent data leakage.
About Bayhealth Medical Center
Bayhealth Medical Center operates as the largest healthcare system in central and southern Delaware, employing nearly 4,000 individuals and over 450 physicians. The organization provides a comprehensive range of medical services across multiple facilities, including hospitals, outpatient centers, and urgent care locations. Bayhealth is recognized for its high standards in patient care, with numerous accolades such as Magnet Recognition for nursing excellence and the Gold Seal of Approval from The Joint Commission.
Attack Overview
The ransomware attack was identified when Bayhealth noticed unusual activity within its computer systems. Immediate actions were taken to contain the threat, including disconnecting from specific external systems and engaging a cybersecurity firm for investigation. Despite temporary disruptions, Bayhealth's Epic EHR system remained operational, and normal operations have since resumed. Rhysida has posted screenshots of stolen passports and ID cards on its Tor leak site, threatening to auction the data if the ransom is not paid by August 14, 2024.
About Rhysida Ransomware Group
Rhysida is a relatively new ransomware group, first observed in May 2023. The group targets various sectors, including healthcare, education, and government, using sophisticated techniques such as phishing campaigns and exploiting cybersecurity tools. Rhysida employs a double extortion strategy, stealing data before encrypting it and threatening to publish the data unless a ransom is paid. The ransomware uses the ChaCha20 encryption algorithm and generates ransom notes as PDF documents named “CriticalBreachDetected.pdf”.
Penetration and Vulnerabilities
Rhysida likely penetrated Bayhealth's systems through phishing attacks, leveraging valid credentials to establish network connections via VPN. The group uses tools like Advance IP/Port Scanner and Sysinternals PsExec for lateral movement within the network. Bayhealth's extensive use of digital systems and the sensitive nature of healthcare data make it a prime target for ransomware attacks, highlighting the need for vigilant cybersecurity measures.
Sources
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.