Rhysida Ransomware Group Targets King Edward VII’s Hospital in London

November 30, 2023

The Rhysida ransomware group has reportedly breached the security of King Edward VII’s Hospital, a prominent private healthcare provider in central London, and has stolen a significant amount of sensitive data. The hospital, recognized for its acute and specialist medical care, has been in operation since 1899 and has a notable history of serving the working class.

The ransomware group announced the attack on its Tor leak site, where it also posted images of the stolen documents as evidence of the breach. The stolen data includes medical reports, registration forms, x-ray images, prescriptions, and other sensitive patient and employee information. The group even claimed to have data related to the Royal Family.

The Rhysida ransomware group is attempting to sell the stolen data for 10 Bitcoin (BTC) to a single buyer. If the data is not purchased within seven days of the announcement, the group threatens to publicly release the information.

The ransomware group, which has been active since May 2023, has previously targeted the British Library and the China Energy Engineering Corporation. According to their Tor leak site, the group has victimized at least 62 companies across various sectors including education, healthcare, manufacturing, information technology, and government.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) recently issued a joint cybersecurity advisory warning of Rhysida ransomware attacks. The advisory stated, “Threat actors leveraging Rhysida ransomware are known to impact 'targets of opportunity,' including victims in the education, healthcare, manufacturing, information technology, and government sectors. Open source reporting details similarities between Vice Society (DEV-0832)[1] activity and the actors observed deploying Rhysida ransomware.”

The advisory also confirmed that Rhysida operates as a ransomware-as-a-service (RaaS) model, where ransomware tools and infrastructure are rented out and profits from any paid ransoms are shared between the group and its affiliates. The Rhysida group typically gains access to target networks through external-facing remote services like VPNs and RDPs, often using compromised credentials. The group has been known to exploit Zerologon (CVE-2020-1472) in Microsoft’s Netlogon Remote Protocol in their phishing attempts, and uses living off-the-land techniques to carry out their malicious operations.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.