Department of Health & Human Services Issues Alert on Rhysida Ransomware


August 16, 2023

World map

The U.S. Department of Health & Human Services issued an alert (PDF) on Rhysida ransomware operations that have been targeting the healthcare sector.

First observed on May 17, 2023, Rhysida operators purport to be a “cybersecurity team” conducting unauthorized “penetration testing” to ostensibly “help” victim organizations identify potential security issues and secure their networks. The subsequent ransom demand is viewed as “payment” for their services.

“Rhysida ransomware is deployed in multiple ways. Primary methods include breaching targets’ networks via phishing attacks, and by dropping payloads across compromised systems after first deploying Cobalt Strike or similar command-and-control frameworks,” the alert states.

“The probability of cyber threat actors targeting the healthcare industry remains high. Prioritizing security by maintaining awareness of the threat landscape, assessing their situation, and providing staff with tools and resources necessary to prevent a cyberattack remains the best way forward for healthcare organizations.”

Takeaway: The threat from ransomware is very real, and the fact that nation-state sponsored or directed operators are getting more active in conducting ransomware attacks on our critical infrastructure – especially healthcare - is more than concerning.  

Last year CISA warned organizations to remain vigilant with respect to an increased risk from ransomware and destructive data attacks, and a joint alert was issued in early 2023 by CISA, the FBI, NSA, and HHS regarding and increase in ransomware attacks targeting healthcare providers.

Ransomware is a multi-billion-dollar industry that operates like legitimate businesses - with a host of specialists, R&D departments, recruiters, Helpdesk, HR departments and more.

We can expect to continue to see healthcare and other critical infrastructure providers be a favorite target given they typically have the least resources to dedicated to securing sensitive systems that can have the widest impact when disrupted in an attack.

Ransomware operators are simply ruthless, and they know that the impact of an attack against healthcare organizations doesn’t just disrupt operations, it directly affects the lives of patients, which in turn puts tremendous pressure on the targeted provider to pay up for swift recovery.

A robust defense is key, but resilience is what will ensure critical operation stay up and running even in the event of a ransomware attack:

  • Endpoint Protection (EPP): Deploy an anti-ransomware solution alongside existing Endpoint Protection Platforms (EPP/EDR/XDR) to bridge the gaps in ransomware-specific coverage
  • Patch Management: Keep all software and operating systems up to date and patched
  • Data Backups: Assure critical data is backed up offsite and protected from corruption in the case of a ransomware attack (backups)
  • Access Control: Implement network segmentation and policies of least privilege (Zero Trust)
  • Awareness: Implement an employee awareness program to educate against risky behaviors, phishing techniques, etc.
  • Resilience Testing: Regularly test solutions against simulated ransomware attacks to assure effective detection, prevention, response, and full recovery of targeted systems
  • Procedure Testing: Plan and prepare for failure by running regular tabletop exercises and ensuring all stakeholders are ready and available to respond to an attack at all times

The detection/prevention side of the cyberattack equation is important, but organizations also have to prepare for failure by assuring they can quickly and decisively respond to a successful ransomware attack so any potential disruption to operations are kept to a minimum. is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.