Rhysida Ransomware Attack on Ann & Robert H Lurie Children's Hospital of Chicago

The Rhysida Ransomware group has attacked the Ann & Robert H Lurie Children's Hospital of Chicago. Despite the cyberattack, the hospital has remained operational, albeit with some disruptions to appointments and elective surgeries. The hospital’s MyChart electronic records system remains down, and manual processes have been implemented, leading to longer wait times for prescription requests. The ransomware group is attempting to extort the hospital for 60 bitcoins, equivalent to just over $3.4 million, in exchange for the stolen data.

Ann & Robert H Lurie Children's Hospital of Chicago was formerly known as Children's Memorial Hospital. It is now commonly known as Lurie Children's, is a nationally ranked pediatric acute care children's hospital located in Chicago, Illinois.

Rhysida's Emergence and Operations

Rhysida is a RaaS (Ransomware as a Service) that was first observed in May of 2023, and has become one of the more prevalent threats in the latter half of 2023. Rhysida engages in data exfiltration for double extortion and maintains both a leaks site and a victim support portal on TOR. They are thought to be responsible for attacks against the Chilean military and more recently against Prospect Medical Holdings which impacted services at hundreds of clinics and hospitals across the US.

In Q4-2023, the FBI and CISA released a joint advisory on Rhysida operations. Rhysida has been steadily increasing their attack volume and continuing to expand the targeted industries, but volume is modest compared to leaders. Rhysida deploys its ransomware through various methods, including Cobalt Strike or similar frameworks, as well as phishing campaigns.

Technical Analysis of Rhysida Ransomware

Analysis of Rhysida ransomware samples suggests that the group is still in the early stages of development. The ransomware lacks certain standard features in contemporary ransomware, such as VSS removal. However, the group follows the practices of modern multi-extortion groups by threatening to distribute the stolen data publicly.

Upon execution, Rhysida displays a cmd.exe window and scans all files on local drives. Victims are instructed to contact the attackers using the TOR-based portal and their unique identifier provided in the ransom notes. The group only accepts payment in Bitcoin (BTC) and provides victims with instructions on purchasing and using BTC through the victim portal. Victims are also given an additional form on the payment portal to provide authentication and contact details to the attackers.

The Rhysida ransom notes are written as PDF documents and placed in the affected folders on the targeted drives.