Rhysida Ransomware Targets Abdali Hospital in Amman, Jordan

The Rhysida ransomware group has reportedly breached critical infrastructure once again, this time targeting Abdali Hospital in Amman, Jordan. The ransomware group claims to have stolen a substantial trove of ‘sensitive data’ and is auctioning it for 10 BTC. The group published images of stolen documents as proof of the compromise. Leaked images include ID cards, contracts, and more.

Abdali Hospital is a multi-specialty hospital located in the modern development of Al-Abdali, Amman, Jordan. Abdali Hospital provides care to patients in numerous specialties. Apart from its general surgery section, it has specialists in orthopedics and rheumatology, gynecology, urology and endocrinology, neurology, nephrology, pulmonology, internal medicine, oncology, infectious disease, and anesthesiology. The hospital also offers aesthetic specialties, including plastic surgery and dermatology. Finally, there is a women’s health center with a specialty in breast cancer.

Rhysida Ransomware Group Emergence

The Rhysida ransomware group emerged in May 2023 and introduced a victim support chat portal on the TOR network. They present themselves as a "cybersecurity team" and claim to be helping their victims by targeting their systems and exposing potential security issues. Rhysida deploys its ransomware through various methods, including Cobalt Strike or similar frameworks, as well as phishing campaigns.

Analysis of Rhysida ransomware samples suggests that the group is still in the early stages of development. The ransomware lacks certain standard features in contemporary ransomware, such as VSS removal. However, the group follows the practices of modern multi-extortion groups by threatening to distribute the stolen data publicly.

Attack Methodology and Victim Communication

Upon execution, Rhysida displays a cmd.exe window and scans all files on local drives. Victims are instructed to contact the attackers using the TOR-based portal and their unique identifier provided in the ransom notes. The group only accepts payment in Bitcoin (BTC) and provides victims with instructions on purchasing and using BTC through the victim portal. Victims are also given an additional form on the payment portal to provide authentication and contact details to the attackers.

The Rhysida ransom notes are written as PDF documents and placed in the affected folders on the targeted drives.