Rhysida Ransomware Group Targets King Edward VII’s Hospital in London

November 30, 2023

The Rhysida ransomware group has reportedly breached the security of King Edward VII’s Hospital, a prominent private healthcare provider in central London, and has stolen a significant amount of sensitive data. The hospital, recognized for its acute and specialist medical care, has been in operation since 1899 and has a notable history of serving the working class.

The ransomware group announced the attack on its Tor leak site, where it also posted images of the stolen documents as evidence of the breach. The stolen data includes medical reports, registration forms, x-ray images, prescriptions, and other sensitive patient and employee information. The group even claimed to have data related to the Royal Family.

The Rhysida ransomware group is attempting to sell the stolen data for 10 Bitcoin (BTC) to a single buyer. If the data is not purchased within seven days of the announcement, the group threatens to publicly release the information.

The ransomware group, which has been active since May 2023, has previously targeted the British Library and the China Energy Engineering Corporation. According to their Tor leak site, the group has victimized at least 62 companies across various sectors including education, healthcare, manufacturing, information technology, and government.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) recently issued a joint cybersecurity advisory warning of Rhysida ransomware attacks. The advisory stated, “Threat actors leveraging Rhysida ransomware are known to impact 'targets of opportunity,' including victims in the education, healthcare, manufacturing, information technology, and government sectors. Open source reporting details similarities between Vice Society (DEV-0832)[1] activity and the actors observed deploying Rhysida ransomware.”

The advisory also confirmed that Rhysida operates as a ransomware-as-a-service (RaaS) model, where ransomware tools and infrastructure are rented out and profits from any paid ransoms are shared between the group and its affiliates. The Rhysida group typically gains access to target networks through external-facing remote services like VPNs and RDPs, often using compromised credentials. The group has been known to exploit Zerologon (CVE-2020-1472) in Microsoft’s Netlogon Remote Protocol in their phishing attempts, and uses living off-the-land techniques to carry out their malicious operations.

Related News

• Rhysida Ransomware Group Claims Attack on China Energy Engineering Corporation
• FBI and CISA Issue Alert on Rhysida Ransomware Attacks
• Cuba Ransomware Group's Sophisticated Cyberattack Techniques Unveiled
• Cuba Ransomware Gang Exploits Veeam Vulnerability in Attacks on U.S. Critical Infrastructure
• New BlackCat Ransomware Variant Incorporates Advanced Impacket and RemCom Tools

Latest News

• BLUFFS Bluetooth Attacks Pose Major Threat: A Researcher's Study
• Unpatched Vulnerabilities Detected in Ray Open Source Framework for AI/ML
• Google Chrome Rolls Out Urgent Security Update to Address 6th Zero-Day Exploit in 2023
• Critical ownCloud Vulnerability Under Active Exploitation
• North Korean Hackers Innovate macOS Malware Tactics to Elude Detection