A criminal ransomware network connected to a cyber-attack inside numerous US hospitals has been taken down by the FBI, according to a US Department of Justice press release. The attack hit over 200,000 computers across the US and cost hundreds of millions of dollars in damage. The FBI called it a duck hunt taking down the hacking network called Qakbot. “Qackbot is one of the most successful persistent and notorious botnets in the globe,” said US Attorney Martin Estrada. “Stopping cybercrime is a matter of cybercrime is a matter of national security.”[1]
Unfortunately, the attacks continue in Connecticut. and several other US states. Prospect Medical Holdings is confirming new details about a massive data theft from three Connecticut hospitals and others around the country in a nearly month-old cyber-attack by a shadowy worldwide extortion group known as Rhysida.[2]
In a written statement, Prospect verified the attack has knocked computer systems offline and for the first time confirmed some information has been obtained by the hackers. The federal Department of Health and Human Services has verified the cyber attackers as Rhysida and warns that the group "has proven itself to be a significant threat to organizations worldwide. This is a serious risk for health care organizations due to the amount of patient data that is shared over the connected network daily,'' HHS said in an Aug. 16 memo.
Prospect Medical Holdings officials have not publicly confirmed the extortion threats by Rhysida in the wake of the cyber-attack that is disrupting Waterbury Hospital and the Eastern Connecticut Health Network, which operates Manchester and Rockville General Hospitals.[3]
The FBI and the CT State Department of Public Health are investigating the cyber-attack, in addition to the hospital chain's internal probe of the breach. The attack has disrupted or halted numerous hospital services as computer systems remain down.
Prospect said this week that "we have now become aware that Prospect Medical data was taken by unauthorized actors, the nature of which is being actively examined," company officials said in the statement. "If the investigation determines that any protected health or personal information is involved, we will provide the appropriate notifications in accordance with applicable laws. Because our investigation is ongoing, we do not have additional information to share at this time. We are taking all appropriate measures to address this incident. We activated our incident response protocols which included shutting down and securing our systems and commencing an investigation and analysis. A forensic investigation firm has been engaged to assist Prospect Medical in examining the incident. We also notified and are working with law enforcement authorities,'' Prospect officials said.
Figure 1. Rhysida extortion letter |
Prospect operates 16 hospitals in California, Connecticut, Pennsylvania, and Rhode Island, as well as 166 outpatient clinics and centers. The cyber-attack on all of the company's operations is believed to have started on 3 August. The company is based in California.
Federal investigators say that Rhysida, after first surfacing this past May, follows a clear path after breaching computer systems and obtaining confidential data through phishing attacks, threatening victims with ransom notes and demanding Bitcoin in payment. "It is crucial for organizations to take proactive measures to protect their systems and data,'' the federal Heath Sector Cybersecurity Coordination Center warned in a "sector alert" sent out across the country on Aug. 4, the day after the attack on Connecticut hospitals. "This group threatens to publicly distribute the exfiltrated data if the ransom is not paid," the federal agency said. "Its victims are distributed throughout several countries across Western Europe, North and South America, and Australia."
The attack comes as Yale New Haven Health is in the process of purchasing ECHN for $435 million. The deal would include Waterbury Hospital, Manchester Memorial and Rockville General Hospitals. “Due to the sensitivity of this incident and law enforcement involvement, we are unable to provide any additional information at this point," Prospect officials said.
HHS investigators said that Rhysida attacks education, government, manufacturing and technology companies, but that "there have been recent attacks against the health care and public health sector."
Cybersecurity experts have said that health care systems are a growing target because of the delicate nature of their work and the urgency of getting their computer systems fully operational in the event of a hack.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://www.wfsb.com/2023/08/30/group-behind-cyber-attacks-local-hospitals-taken-down-by-fbi/
[2] https://www.sentinelone.com/anthology/rhysida/
[3] https://www.stamfordadvocate.com/journalinquirer/article/connecticut-hospitals-cyber-attack-18334048.php
Comments