Ransomware Attack on Bayhealth Hospital by Rhysida Group

Bayhealth Medical Center, a prominent healthcare provider in Delaware, has fallen victim to a ransomware attack orchestrated by the Rhysida ransomware group. The attack, detected on July 31, 2024, has compromised sensitive data, including Social Security Numbers and passports, with the attackers demanding a ransom of 25 Bitcoin (approximately $1.4 million) to prevent data leakage.

About Bayhealth Medical Center

Bayhealth Medical Center operates as the largest healthcare system in central and southern Delaware, employing nearly 4,000 individuals and over 450 physicians. The organization provides a comprehensive range of medical services across multiple facilities, including hospitals, outpatient centers, and urgent care locations. Bayhealth is recognized for its high standards in patient care, with numerous accolades such as Magnet Recognition for nursing excellence and the Gold Seal of Approval from The Joint Commission.

Attack Overview

The ransomware attack was identified when Bayhealth noticed unusual activity within its computer systems. Immediate actions were taken to contain the threat, including disconnecting from specific external systems and engaging a cybersecurity firm for investigation. Despite temporary disruptions, Bayhealth's Epic EHR system remained operational, and normal operations have since resumed. Rhysida has posted screenshots of stolen passports and ID cards on its Tor leak site, threatening to auction the data if the ransom is not paid by August 14, 2024.

About Rhysida Ransomware Group

Rhysida is a relatively new ransomware group, first observed in May 2023. The group targets various sectors, including healthcare, education, and government, using sophisticated techniques such as phishing campaigns and exploiting cybersecurity tools. Rhysida employs a double extortion strategy, stealing data before encrypting it and threatening to publish the data unless a ransom is paid. The ransomware uses the ChaCha20 encryption algorithm and generates ransom notes as PDF documents named “CriticalBreachDetected.pdf”.

Penetration and Vulnerabilities

Rhysida likely penetrated Bayhealth's systems through phishing attacks, leveraging valid credentials to establish network connections via VPN. The group uses tools like Advance IP/Port Scanner and Sysinternals PsExec for lateral movement within the network. Bayhealth's extensive use of digital systems and the sensitive nature of healthcare data make it a prime target for ransomware attacks, highlighting the need for vigilant cybersecurity measures.

Sources

• Bayhealth
• SOCRadar
• Logpoint
• Cyfirma
• Fortinet