The Rhysida cybercriminal outfit has proven once again it has no conscience – claiming an attack on Easterseals – an organization dedicated to helping the disabled – along with a $1,350,000 ransom tag.
Easterseals, a historic charitable healthcare organization providing community and family services for Americans living with disabilities nationwide, first reported the breach – which took place in April – with the Maine Attorney General’s office last week.
A copy of a letter sent to the AG was also posted with the filing, which revealed that as of October 14th, the records of 14,855 people were affected in the hack.
“On April 1, 2024, Easterseals experienced a network disruption that impacted the functionality and access of certain systems,” forcing the organization to disconnect all access to its network, it said.
Sensitive information stolen
A forensic investigation found that, on October 7th, certain files were accessed, including those containing personally identifiable information (PII), including:
- Individuals’ full name and address
- Driver’s license
- Social security number
- Passport information
- Medical information, health information
The Peoria, Illinois-based non-profit has been advocating for disabled Americans for more than 100 years to increase their quality of life, making Rhysida’s ransom demand that much more reprehensible.
Just last week, Easterseals had also put out an urgent call on social media for disaster relief help in the wake of Hurricane Helene and Milton for disabled persons with home damage and no access to clean water, food, and cleaning supplies.
Aditya Sood, Vice President of Security Engineering and AI Strategy at Aryaka, points out the significant threat Rhysida has become for critical sectors like healthcare, education, and government.
“The urgency of the situation cannot be overstated,” Sood said, adding that Easterseals has most likely suffered “severe consequences " due to the operational downtime caused by the attack.
“Given the threat of Rhysida, it is imperative for organizations to respond swiftly. Implementing network containment strategies such as segmentation, virtual local area network (VLAN) quarantining, zero-trust network access (ZTNA), and traffic filtering is crucial... restricting lateral movement across organization networks," Sood said.
Rhysida provides proof
The Russian-linked Rhysida gang posted the 20 Bitcoin ransom demand earlier this week, which is the equivalent of roughly 1,350,000 million USD. As of Friday, Easterseals has four days left to pay off the criminal cartel, otherwise the sensitive files will be published or sold off to other criminals.
Cybernews was able to view the samples provided by Rhysida and confirm copies of passports, driver’s licenses, tax forms, and signed employment agreements, among others. We have also reached out to Easterseals but have not heard back at the time of this report.
“Rhysida employs well-established ransomware tactics such as the double extortion mode, ransomware-as-a-service (RaaS), and encryption algorithms,” said Sood.
Soof explained that what sets Rhysida apart from other ransomware strains – citing other notorious Kremlin-linked ransomware groups such as REvil, Drakside, Ryuk, Maze – is the group’s “significant enhancement of the encryption process.”
“This allows them to exfiltrate large sets of stolen data without detection, making Rhysida highly invasive and remarkably effective in its operations,” Sood said.
Easterseals stated it has since implemented new and more robust security controls, including industry-leading endpoint security software, cloud-based servers, and multi-factor authentication,” to help protect its systems from future attacks.
Besides mailing breach notifications to those affected on October 14th, the non-profit said it has further offered victims 12 months of free credit monitoring.
According to Easterseals, one in four Americans suffers from some disability. The organization provides critical early childhood programs, autism services, medical rehabilitation, employment programs, veterans’ services, and more.
Rhysida favors 'target's of opportunity'
The Russian-affiliated Rhysida group has claimed more than 139 victims on its dark blog since its inception in May 2023.
The gang is known for going after “targets of opportunity” and has infiltrated various sectors including education, healthcare, manufacturing, and local governments, according to an updated US Defense Department profile on the gang from last November.
The group's namesake ransomware has been labeled as "unsophisticated," typically launching its attacks using phishing tactics or seeking vulnerabilities using Cobalt Strike pen-testing tools.
Most recently Rhysida made headlines targeting (and taunting) the Seattle-Tacoma International Airport with a 100 BTC ransom demand after an attack that caused a weeks-long systemwide outage at the busy West Coast hub. The Sea-Tac breach even forced some major airlines, like Delta, Singapore, and Alaskan Airlines, to handwrite passenger boarding passes.
We understand the impact this outage has had on travelers. We greatly appreciate your patience throughout the week and heading into the busy Labor Day weekend. pic.twitter.com/AsMvySXQG9
undefined Seattle-Tacoma Intl. Airport (@flySEA) August 28, 2024
Over the summer the gang went after the Washington Times newspaper, offering to auction off the news organization's stolen data data for a mere 5 bitcoin.
In July, Rhysida successfully targeted the City of Columbus, Ohio, also triggering weeks-long outages of city services, the reconstruction of the city’s official website, and an investigation that is still ongoing.
Previous victims include the UK’s national British Library, considered the world’s largest repository of historical knowledge, as well as the Anne & Robert H. Lurie Children’s Hospital in Chicago, and the Prospect Medical Group network of US hospitals and healthcare facilities.
Your email address will not be published. Required fields are markedmarked