Rhysida attacks Prospect Medical Holdings

Incident Date:

September 3, 2023

World map



Rhysida attacks Prospect Medical Holdings


Prospect Medical Holdings




Los Angeles, USA

California, USA

First Reported

September 3, 2023

Rhysida Ransomware Gang Attacks Prospect Medical Holdings

The Rhysida ransomware gang has attacked Prospect Medical Holdings. Prospect Medical Holdings is a prominent healthcare management company based in the United States. This organization is dedicated to delivering a wide range of healthcare services to communities across several states, primarily with a focus on California. Their services encompass acute care, primary care, specialty care, and outpatient services. Rhysida posted Prospect Medical Holdings to its data leak site on September 3rd but provided no further details.

Rhysida's Operations and Tactics

Rhysida is a RaaS (Ransomware-as-a-Service) that was first observed on May 17, 2023. Rhysida has been observed deploying Cobalt Strike or similar command-and-control frameworks and abusing PSExec for lateral movement, dropping PowerShell scripts, and for payload delivery. They engage in data exfiltration for double extortion and maintain both a leaks site and a victim support portal on TOR. They are thought to be responsible for attacks against the Chilean military and more recently against Prospect Medical Holdings which impacted services at hundreds of clinics and hospitals across the US.

Rhysida has been steadily increasing their attack volume and continuing to expand the targeted industries, but volume is modest compared to leaders. Rhysida appears to be opportunistic attackers with a similar victimology as Vice Society.

Ransom Demands and Techniques

IT remains unclear how much Rhysida operators typically demand for a ransom payment at this time. Rhysida appears to have a fairly advanced RaaS offering, with capabilities that include advanced evasion techniques that can bypass antivirus protection, the wiping of Volume Shadow Copies (VSS) to prevent rollback of the encryption, and the ability to modify Remote Desktop Protocol (RDP) configuration. Rhysida employs 4096-bit RSA key and AES-CTR for file encryption.

Rhysida does not appear to be targeting Linux systems, maintaining a focus on Windows targets. TTPs are similar to those of Vice Society, which has been less active as Rhysida has emerged. Rhysida has been observed targeting the healthcare, education, government, manufacturing, and tech industries.

Rhysida's Justification

Rhysida operators purport to be a “cybersecurity team” conducting unauthorized “penetration testing” to ostensibly “help” victim organizations identify potential security issues and secure their networks. The subsequent ransom demand is viewed as “payment” for their services.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.