Lurie Children's Hospital investigating claims "Rhysida" could be behind ransomware attack

Ransomware group Rhysida takes credit for Lurie Children's Hospital cyberattack

CHICAGO (CBS)-- A group using ransomware called "Rhysida" could be behind the cyberattack at Lurie Children's Hospital

Earlier this month, the hospital confirmed it experienced an attack from an outside threat, which led the hospital to take its phone, email, and other systems offline on Jan. 31 and caused disruptions to its regular operations since then.  

Lurie Children's Hospital released a statement confirming officials are aware of claims that "Rhysida" ransomware is behind the attack. Lurie added they continue to work with police and security experts and cannot share further details on the investigation.

But a post on the ransomware gang's "data leak" made the terms pretty clear.

The post advertises a price of 60 bitcoin - equivalent to about $3.4 million - in exchange for "exclusive, unique, and impressive" data from the hospital. It even gives an ominous time frame of "7 days to seize the clock."

"It's because they haven't been able to negotiate, or negotiations failed," said Jason Baker, a cyber threat intelligence expert with Guidepoint Security.

Baker said the message is either a sign that the group has not successfully contacted the hospital or that negotiations have not been fruitful.

"Rhysida publicly makes a big deal about trying to sell the data to whoever will take it first," Baker said.

As for that 60 bitcoin — or $3.4 million figure, Baker said that is really high in his experience, or as he put it, "aspirational." 

Baker said Rhysida is known for making that sale of data public — unlike other ransomware groups that do it secretly.

Lurie's network has been down since Jan. 31, causing significant disruptions to its regular operations.

What about that seven-day warning in the post?

"At the end of that, they will have either sold the data, or they'll post it publicly for download," Baker said.

An August bulletin published by the U.S. Department of Health and Human Services warned that Rhysida was becoming more active - and appeared to be focusing on the healthcare sector. 

As CBS 2 reported, there was speculation that the group LockBit could also be behind the attack and severe outage. The group's involvement has not been confirmed, but LockBit took credit for a similar outage at a hospital on the city's West Side.

LockBit has been linked to thousands of attacks since 2019.  

According to available data, 46 hospital systems were targeted by ransomware last year. But that number may be much higher – since there are no mandatory reporting requirements yet.

While the recent takedowns of groups like LockBit have at least temporarily disrupted some bad actors, Baker said he and other experts are anxiously waiting to see if it will be enough of a deterrent.

"I think it will deter the largest and most impactful groups from being as prolific as they may have been over the last year," Baker said. 

Rhysida ransomware is deployed in multiple ways, according to the bulletin. Primary methods include breaching targets' networks via phishing attacks. 

Read more

We and our partners use cookies to understand how you use our site, improve your experience and serve you personalized content and advertising. Read about how we use cookies in our cookie policy and how you can control them by clicking Manage Settings. By continuing to use this site, you accept these cookies.