The healthcare sector is coming under increasingly severe pressure from cyber-attacks. On the heels of news earlier last week that the infamous Lazarus Group is launching a new campaign targeting internet backbone infrastructure and healthcare facilities in the US and Europe comes news of a major attack by the Rhysida ransomware group on Los Angeles-based Prospect Medical Holdings.
Earlier this month, Prospect Medical Holdings was forced to take down its systems following major cyber-attacks at hospitals and other medical facilities across four states. Rhysida has now claimed responsibility for the theft of a 1.3 terabyte SQL database containing 500,000 Social Security numbers, corporate documents, and patient records and is now threatening to sell Prospect Medical’s allegedly stolen data for 50 Bitcoins (around $1.3 million) if Prospect Medical Holdings refuses to pay up.
The trillion-dollar US healthcare sector’s ever-expanding array of internet-connected medical devices combined with its legacy IT systems make it an attractive target for hackers. But not all attackers represent an equally serious threat. Fast-growing ransomware newcomer, the Rhysida group, appears to be motivated solely by opportunistic financial gain. The Lazarus Group, on the other hand, has more sinister motives. State-sponsored by North Korea, the aim of the group is twofold; profits from such gangs go to fund North Korea’s growing nuclear arsenal while the threat actors simultaneously target crucial facilities as part of a planned coordinated potential future attack on US infrastructure.
The Lazarus group’s latest campaign was first identified by researchers at Cisco’s threat intelligence arm, Cisco Talos. On the day Cisco Talos’ analysis was published, the FBI also issued a warning to cryptocurrency firms regarding a sudden surge in blockchain activity linked to the theft of hundreds of millions in digital currency attributed to the Lazarus Group.
Rhysida’s claiming responsibility for the attack on Prospect Medical also follows a warning earlier in August by the Department of Health and Human Services (HHS) that Rhysida is behind many recent attacks on healthcare organizations. According to HHS, Rhysida is a new ransomware group that has been active since May 2023. HHS reports that Rhysida’s usual modus operandi is to deliver ransomware via phishing attacks to breach a target organization’s networks. The group then threatens to publicly expose the exfiltrated data if the victim refuses to pay Rhysida’s ransom demand.
According to cybersecurity firm Cloudflare’s 2023 Phishing Threats Report, published earlier this year, a growing number of attacks now use phishing attacks to impersonate someone else’s identity. It is the third-most prevalent email threat category; Cloudflare reports identity deception in 14.2% of detections from May 2, 2022, to May 2, 2023, a jump from 10.3% from the previous year and that this type of attack frequently comprises brand impersonation and business email compromise (BEC).
One explanation for the marked rise in attacks using identity and brand deception is cybercriminals’ increasing use of artificial intelligence platforms such as ChatGPT and its Dark-Web equivalent FraudGPT to craft well-written and plausible-sounding spoof emails. Previously, spoof emails were frequently easily identifiable by poor grammar and misspellings. The new AI platforms can not only write well-crafted personalized emails but also trawl social networks in order to draft an email with sufficient personal data to convince the recipient that it comes from a trusted supplier or colleague.
