Rhysida Ransomware Healthcare Targeting
Profile of Rhysida ransomware targeting healthcare, education, and government sectors.
Continue your mission
Profile of Rhysida ransomware targeting healthcare, education, and government sectors.
# Rhysida Ransomware Healthcare Targeting
PDM Domain(s): TID, VSD
---
Rhysida is a ransomware-as-a-service (RaaS) operation that emerged in May 2023 and has systematically targeted organizations where sensitive data volume is high and cybersecurity investment is chronically low. Healthcare institutions represent the most consequential category of Rhysida victims because successful attacks disrupt patient care, expose protected health information under HIPAA, and create life-safety consequences that pressure organizations to pay ransoms quickly.
Rhysida is a 64-bit Windows portable executable (PE) ransomware payload that encrypts victim files using a combination of 4096-bit RSA public key cryptography and the ChaCha20 symmetric stream cipher. It appends the .rhysida extension to encrypted files and drops a PDF ransom note titled CriticalBreachDetected.pdf. The group operates a Tor-based leak site and a victim negotiation portal, consistent with the double-extortion model in which data is exfiltrated before encryption and threatened for public release if ransom is not paid.
The group has probable ties to Vice Society, a threat actor known for targeting schools and hospitals between 2021 and 2023. Overlapping tactics, techniques, and procedures (TTPs) and targeting profiles suggest either shared membership, shared tooling, or that Vice Society rebranded as Rhysida. This connection matters because Vice Society's infrastructure, access broker relationships, and sector knowledge appear to have carried forward into Rhysida operations.
Rhysida fills a specific criminal niche: it combines technically mature encryption with deliberate sector selection, choosing hospitals, school districts, government agencies, and cultural institutions not by accident but because these organizations frequently lack the security maturity to detect or stop an intrusion before encryption occurs. Understanding Rhysida as a threat actor requires examining its technical construction, its operational playbook, and the structural vulnerabilities in healthcare and public-sector environments that make this class of attack persistently successful.
---
Rhysida intrusions follow a recognizable kill chain with distinct phases: initial access, persistence and lateral movement, reconnaissance and data staging, and final encryption deployment. The operational timeline from initial compromise to encryption typically spans two to six weeks, distinguishing it from opportunistic ransomware that encrypts immediately upon gaining access.
Rhysida affiliates gain entry through three primary vectors. The first is phishing campaigns that deliver Cobalt Strike beacon payloads. These emails are crafted to appear legitimate, often impersonating vendors, IT support, or regulatory bodies familiar to the target sector. Healthcare-focused campaigns have impersonated medical device vendors, EHR support teams, and regulatory compliance auditors. Once a user executes the payload, Cobalt Strike establishes a command-and-control (C2) channel that gives the attacker remote control of the endpoint.
The second vector is exploitation of internet-facing services. Rhysida has exploited VPN appliances and remote desktop protocol (RDP) endpoints exposed to the public internet, including systems vulnerable to known CVEs that have available patches. Common targets include outdated SonicWall VPN appliances, unpatched Microsoft Exchange servers, and RDP services with weak authentication policies.
The third vector is credential purchase from initial access brokers (IABs), dark web vendors who sell previously compromised credentials to organizations in targeted sectors. Healthcare organizations are frequently listed in IAB markets because their credential hygiene is often poor, with shared service accounts, default passwords on medical devices, and inadequate password policies.
Rhysida has also exploited CVE-2020-1472, known as Zerologon, a critical vulnerability in the Netlogon Remote Protocol that allows an unauthenticated attacker to compromise a domain controller by exploiting a cryptographic flaw. Despite being patched in August 2020, this vulnerability remains exploitable in healthcare environments where patching cycles are slow due to concerns about medical device compatibility and operational continuity.
Once inside the network, attackers establish persistence using scheduled tasks, service creation, or registry modifications. Cobalt Strike's post-exploitation modules handle much of this work automatically. Lateral movement typically occurs via PsExec, a legitimate Windows administration tool that allows remote command execution. Because PsExec is a signed Microsoft utility, it often bypasses application allowlisting controls that might block unauthorized executables.
Attackers also conduct Active Directory reconnaissance using tools such as BloodHound, AdFind, and custom PowerShell scripts to map trust relationships, identify high-value accounts, and locate domain controllers. In healthcare environments, this reconnaissance frequently reveals flat network architectures where clinical systems, administrative systems, and domain controllers share the same broadcast domain with minimal internal segmentation.
A common pattern in Rhysida intrusions is the compromise of service accounts with broad permissions across multiple systems. Healthcare IT environments often rely on service accounts for integration between EHR systems, medical devices, and administrative databases. These accounts frequently have elevated privileges and are configured with passwords that do not expire, making them attractive targets for attackers seeking persistent access.
A critical step is extraction of the NTDS.dit file, the Active Directory database stored on domain controllers. NTDS.dit contains password hashes for every domain account, allowing attackers to perform offline cracking or pass-the-hash attacks to impersonate privileged users including domain administrators. This single step typically grants complete domain control.
Following credential harvesting, attackers exfiltrate sensitive data to attacker-controlled infrastructure before encryption. In healthcare attacks, this data includes electronic health records (EHR) exports, patient financial records, internal operational documents, employee personal information, and sometimes medical images. Exfiltration tools have included WinSCP, Rclone, and MEGAsync, often configured to use cloud storage services as intermediate staging areas.
The exfiltration phase provides the second lever of extortion: pay or the data becomes public. Rhysida's leak site has published patient records, internal communications, and financial documents from victims who declined to pay ransom demands. This creates both regulatory exposure under HIPAA and reputational damage that extends beyond the immediate operational impact of the encryption.
The Rhysida executable is typically deployed via PsExec or Group Policy Object (GPO) modification to push the payload to all domain-joined systems simultaneously. The timing of deployment is often strategic, occurring during nights, weekends, or holidays when IT staffing is reduced and response time is slower.
Encryption uses ChaCha20 for file content (fast, low-overhead symmetric encryption) with the decryption key protected by a 4096-bit RSA public key held by the attacker. Without the corresponding private key, decryption is computationally infeasible using current technology. The ransomware is designed to avoid encrypting certain system files necessary for Windows to boot, ensuring that victims can access the ransom note and maintain communication capabilities.
A 400-bed regional hospital network received a phishing email purporting to be from their EHR vendor regarding a critical security update. An IT administrator opened the attachment, executing a Cobalt Strike stager that established a C2 channel to attacker infrastructure. Over the following three weeks, attackers moved laterally through the network, extracted NTDS.dit from domain controllers, and exfiltrated 2.1 terabytes of patient data including EHR records, billing information, and internal communications.
On a Saturday morning at 3:00 AM, when staffing was minimal, attackers executed GPO modification to deploy the Rhysida payload across 600 domain-joined endpoints including clinical workstations, administrative systems, and network-attached storage devices. Clinical staff arriving for shift changes found workstations encrypted, EHR systems offline, and critical patient monitoring systems isolated but functional due to network segmentation implemented after a previous security assessment.
The hospital activated emergency protocols, diverted ambulances to neighboring facilities, reverted to paper records for patient care, and faced both a ransom demand of 75 Bitcoin (approximately $2.8 million at time of attack) and mandatory HIPAA breach notification requirements. Recovery required six weeks and cost approximately $12 million in incident response, system rebuilding, regulatory penalties, and lost revenue.
---
Ransomware attacks on healthcare facilities are not primarily financial crimes. They are events with direct patient safety consequences that extend beyond the targeted organization. Research published in JAMA Network Open has documented correlations between ransomware attacks on hospitals and increased patient mortality rates during attack periods, attributable to care delays, diverted emergency patients, and loss of access to medication records and clinical decision support systems.
When Rhysida or a comparable actor encrypts a hospital's systems, the harm cascades throughout the regional healthcare network. Emergency patients must be diverted to other facilities, potentially increasing transport times for critical cases. Scheduled surgeries are cancelled, creating backlogs that can take months to clear. Laboratory results are delayed as systems are rebuilt and data is restored from backups. The operational impact extends far beyond the immediate victim organization.
The British Library attack in late 2023 illustrates Rhysida's willingness to target institutions with significant cultural value and public trust. Rhysida exfiltrated approximately 600 gigabytes of data including employee personal information, internal documents, and research materials, publishing portions on their leak site when the library declined to pay ransom demands. The library required four months to restore services and faced sustained public scrutiny over its security posture and decision not to pay the ransom.
A common misconception about ransomware targeting healthcare is that attackers avoid hospitals due to ethical considerations or fear of law enforcement attention. Rhysida's operational history refutes this directly. The group has shown no restraint in targeting healthcare facilities, schools, or cultural institutions. In fact, the sector's documented willingness to pay ransoms quickly, driven by patient safety pressure and regulatory compliance requirements, makes hospitals among the most financially attractive targets in the ransomware ecosystem.
Healthcare organizations face a particular vulnerability that other sectors do not: the inability to sustain extended downtime without immediate life-safety consequences. A manufacturing company can halt production for weeks during incident response without directly endangering lives. A hospital cannot. This time pressure creates a negotiating disadvantage that attackers explicitly exploit through timing and target selection.
Another misconception is that organizations are attacked because of specific unique vulnerabilities only they possess. In reality, Rhysida affiliates conduct opportunistic scanning for common, well-documented vulnerabilities such as unpatched VPNs and exposed RDP endpoints, then select from a pool of accessible targets. Organizations that patch promptly and enforce multi-factor authentication remove themselves from that pool automatically. The gap between available patches and actual patching in healthcare—often six to twelve months for non-clinical systems and longer for systems adjacent to medical devices—is the primary structural factor enabling these attacks.
---
CDA approaches Rhysida and similar healthcare-targeting threat actors through the Planetary Defense Model (PDM), specifically the Threat Intelligence Domain (TID) and the Vulnerability and Security Domain (VSD). The operative methodology is Predictive Defense Intelligence (PDI): see the threat before it sees you.
In practice, PDI applied to Rhysida means that CDA-aligned organizations do not wait for an incident to discover that their Zerologon patching is incomplete, that NTDS.dit access is unmonitored, or that their VPN appliance is visible and unpatched in public scanning databases. PDI requires continuous external attack surface assessment, mapping what an attacker sees before an attacker maps it for the organization.
CDA's Threat-Oriented Protection (TOP) missions structure this work operationally. For Rhysida specifically, a TOP mission begins with TID collection: ingesting CISA and MS-ISAC advisories on Rhysida TTPs, subscribing to healthcare-sector threat intelligence through H-ISAC, and mapping known Rhysida indicators of compromise (IOCs) against the organization's detection stack. This produces a gap analysis: which of the attacker's known techniques are currently detectable in your environment, and which are invisible.
Where CDA differs from conventional security consulting is in its refusal to treat threat intelligence as a reporting artifact. Intelligence about Rhysida has specific operational implications: patch Zerologon immediately on all domain controllers, restrict NTDS.dit access using privileged access workstations (PAWs), monitor for PsExec execution from non-administrative systems, and enforce phishing-resistant MFA (FIDO2 or certificate-based) on all remote access paths. These are not recommendations to consider during the next planning cycle. They are controls to implement on a defined timeline with accountability metrics.
CDA also addresses the structural reality of under-resourced healthcare organizations directly. The Planetary Defense Model acknowledges that not all organizations have enterprise security operations centers or dedicated threat intelligence teams. TOP missions are scoped to organizational capacity, prioritizing the highest-impact controls first rather than demanding comprehensive security maturity before any protection exists. For a small critical access hospital, the first TOP mission against Rhysida focuses on three controls: patch the VPN, enable MFA on RDP, and configure alerting for NTDS.dit file access. These address the three most common Rhysida entry and escalation points. Complexity comes later. Protection starts immediately.
---
---
---
CDA Theater missions that address topics covered in this article.
Lazarus Group is North Korea's primary advanced persistent threat operation, operating under the RGB (Reconnaissance General Bureau), the DPRK's primary foreign intelligence service.
Salt Typhoon is a Chinese state-sponsored advanced persistent threat (APT) group that conducts signals intelligence collection operations against telecommunications infrastructure.
Evidence collection, chain of custody, forensic imaging, and analysis techniques for incident investigations.
Written by CDA Editorial
Found an issue? Help improve this article.