Easterseals reports breach as Rhysida ransom gang demands $1.3M


The Rhysida cybercriminal outfit has proven once again it has no conscience – claiming an attack on Easterseals – an organization dedicated to helping the disabled – along with a $1,350,000 ransom tag.

Easterseals, a historic charitable healthcare organization providing community and family services for Americans living with disabilities nationwide, first reported the breach – which took place in April – with the Maine Attorney General’s office last week.

A copy of a letter sent to the AG was also posted with the filing, which revealed that as of October 14th, the records of 14,855 people were affected in the hack.

ADVERTISEMENT

“On April 1, 2024, Easterseals experienced a network disruption that impacted the functionality and access of certain systems,” forcing the organization to disconnect all access to its network, it said.

Easterseals AG breach notice
Office of the Maine Attorney General

Sensitive information stolen

A forensic investigation found that, on October 7th, certain files were accessed, including those containing personally identifiable information (PII), including:

  • Individuals’ full name and address
  • Driver’s license
  • Social security number
  • Passport information
  • Medical information, health information

The Peoria, Illinois-based non-profit has been advocating for disabled Americans for more than 100 years to increase their quality of life, making Rhysida’s ransom demand that much more reprehensible.

Just last week, Easterseals had also put out an urgent call on social media for disaster relief help in the wake of Hurricane Helene and Milton for disabled persons with home damage and no access to clean water, food, and cleaning supplies.

Aditya Sood, Vice President of Security Engineering and AI Strategy at Aryaka, points out the significant threat Rhysida has become for critical sectors like healthcare, education, and government.

“The urgency of the situation cannot be overstated,” Sood said, adding that Easterseals has most likely suffered “severe consequences " due to the operational downtime caused by the attack.

ADVERTISEMENT
Easterseals Rhysida leak page
Rhysida leak site

“Given the threat of Rhysida, it is imperative for organizations to respond swiftly. Implementing network containment strategies such as segmentation, virtual local area network (VLAN) quarantining, zero-trust network access (ZTNA), and traffic filtering is crucial... restricting lateral movement across organization networks," Sood said.

Rhysida provides proof

The Russian-linked Rhysida gang posted the 20 Bitcoin ransom demand earlier this week, which is the equivalent of roughly 1,350,000 million USD. As of Friday, Easterseals has four days left to pay off the criminal cartel, otherwise the sensitive files will be published or sold off to other criminals.

Cybernews was able to view the samples provided by Rhysida and confirm copies of passports, driver’s licenses, tax forms, and signed employment agreements, among others. We have also reached out to Easterseals but have not heard back at the time of this report.

Easterseals Rhysida sample
Rhysida leak site

“Rhysida employs well-established ransomware tactics such as the double extortion mode, ransomware-as-a-service (RaaS), and encryption algorithms,” said Sood.

Soof explained that what sets Rhysida apart from other ransomware strains – citing other notorious Kremlin-linked ransomware groups such as REvil, Drakside, Ryuk, Maze – is the group’s “significant enhancement of the encryption process.”

“This allows them to exfiltrate large sets of stolen data without detection, making Rhysida highly invasive and remarkably effective in its operations,” Sood said.

Easterseals stated it has since implemented new and more robust security controls, including industry-leading endpoint security software, cloud-based servers, and multi-factor authentication,” to help protect its systems from future attacks.

ADVERTISEMENT

Besides mailing breach notifications to those affected on October 14th, the non-profit said it has further offered victims 12 months of free credit monitoring.

According to Easterseals, one in four Americans suffers from some disability. The organization provides critical early childhood programs, autism services, medical rehabilitation, employment programs, veterans’ services, and more.

Rhysida favors 'target's of opportunity'

The Russian-affiliated Rhysida group has claimed more than 139 victims on its dark blog since its inception in May 2023.

The gang is known for going after “targets of opportunity” and has infiltrated various sectors including education, healthcare, manufacturing, and local governments, according to an updated US Defense Department profile on the gang from last November.

The group's namesake ransomware has been labeled as "unsophisticated," typically launching its attacks using phishing tactics or seeking vulnerabilities using Cobalt Strike pen-testing tools.

Most recently Rhysida made headlines targeting (and taunting) the Seattle-Tacoma International Airport with a 100 BTC ransom demand after an attack that caused a weeks-long systemwide outage at the busy West Coast hub. The Sea-Tac breach even forced some major airlines, like Delta, Singapore, and Alaskan Airlines, to handwrite passenger boarding passes.

Over the summer the gang went after the Washington Times newspaper, offering to auction off the news organization's stolen data data for a mere 5 bitcoin.

ADVERTISEMENT

In July, Rhysida successfully targeted the City of Columbus, Ohio, also triggering weeks-long outages of city services, the reconstruction of the city’s official website, and an investigation that is still ongoing.

Previous victims include the UK’s national British Library, considered the world’s largest repository of historical knowledge, as well as the Anne & Robert H. Lurie Children’s Hospital in Chicago, and the Prospect Medical Group network of US hospitals and healthcare facilities.