Rhysida Ransomware Attack on Cookeville Regional Medical Center: Detection and Incident Response Playbook

Introduction

Cookeville Regional Medical Center (CRMC) in Tennessee has become the latest victim of a targeted ransomware attack by the Rhysida threat group. This incident is a textbook case of double extortion: the attackers successfully encrypted systems and stole approximately 500GB of sensitive data affecting 337,917 individuals. For defenders, this breach is a critical reminder that healthcare organizations remain prime targets for actors leveraging encryption and data theft to apply maximum pressure. The urgency to detect lateral movement and massive egress activity cannot be overstated.

Technical Analysis

Threat Actor and Methodology

Threat Actor: Rhysida (aka Rhysida Ransomware).
Attack Vector: While the specific initial access vector (e.g., phishing, VPN exploit) for CRMC was not disclosed, Rhysida is historically known for exploiting external-facing services and leveraging valid credentials purchased on the dark web.
Payload and Execution: Rhysida deploys a custom ransomware encryptor written in C++.
TTPs (Tactics, Techniques, and Procedures):
- Exfiltration: The group utilizes tools like Rclone and Mega.io to stage and exfiltrate large volumes of data (evidenced by the 500GB theft) before encryption begins.
- Defense Evasion: They frequently utilize PowerShell to execute living-off-the-land (LOLBins) commands to disable security tools and delete shadow copies using vssadmin or wbadmin to prevent recovery.
- Encryption: The malware targets critical file extensions and appends its own extension (often identified in previous campaigns as .rhysida).

Exploitation Status

Active exploitation of healthcare entities by Rhysida is confirmed in the wild. There is currently no specific CVE linked to the CRMC breach announcement, but the attack chain heavily relies on credential abuse and post-exploitation tooling rather than a specific zero-day vulnerability.

Detection & Response

The following detection mechanisms focus on the specific TTPs observed in Rhysida attacks: the use of Rclone for data theft and the deletion of Volume Shadow Copies to prevent recovery.

SIGMA Rules

YAML

---
title: Potential Rhysida Ransomware Exfiltration Tool - Rclone Execution
id: 9a2b3c4d-5e6f-7g8h-9i0j-1k2l3m4n5o6p
status: experimental
description: Detects the execution of rclone.exe, a tool frequently used by Rhysida actors to exfiltrate large volumes of data to cloud storage.
references:
  - https://securityaffairs.com/190898/cyber-crime/cookeville-regional-medical-center-hospital-data-breach-impacts-337917-people.html
author: Security Arsenal
date: 2024/06/21
tags:
  - attack.exfiltration
  - attack.t1567.002
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\rclone.exe'
  condition: selection
falsepositives:
  - Legitimate administrative use of rclone for backup sync (rare in healthcare endpoints)
level: high
---
title: Volume Shadow Copy Deletion via Vssadmin
id: 1a2b3c4d-5e6f-7g8h-9i0j-1k2l3m4n5o6p
status: experimental
description: Detects attempts to delete Volume Shadow Copies using vssadmin, a common step in Rhysida ransomware playbook to prevent restoration.
references:
  - https://attack.mitre.org/techniques/T1490/
author: Security Arsenal
date: 2024/06/21
tags:
  - attack.impact
  - attack.t1490
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\vssadmin.exe'
    CommandLine|contains: 'delete shadows'
  condition: selection
falsepositives:
  - System administrator manually managing disk space (verify context)
level: critical
---
title: Suspicious PowerShell Encoded Command Pattern
id: 2b3c4d5e-6f7g-8h9i-0j1k-2l3m4n5o6p7q
status: experimental
description: Detects PowerShell execution with encoded commands, often used by Rhysida to obfuscate payload delivery.
references:
  - https://attack.mitre.org/techniques/T1059/001/
author: Security Arsenal
date: 2024/06/21
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
    CommandLine|contains:
      - '-Enc '
      - '-EncodedCommand '
  condition: selection
falsepositives:
  - Legitimate software installers or management scripts using encoded commands
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender

// Hunt for Rclone execution and massive egress patterns related to Rhysida
let ProcessEvents = DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "rclone.exe" 
   or (ProcessCommandLine contains "delete shadows" and FileName =~ "vssadmin.exe");
let NetworkEvents = DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (443, 80) 
   and InitiatingProcessFileName =~ "rclone.exe";
union ProcessEvents, NetworkEvents
| project Timestamp, DeviceName, ActionType, FileName, ProcessCommandLine, RemoteIP, RemoteURL, InitiatingProcessFileName
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor

-- Hunt for Rhysida indicators: Rclone binaries and VSSAdmin usage
SELECT 
  Pid, 
  Name, 
  CommandLine, 
  Exe, 
  Username, 
  CreateTime
FROM pslist()
WHERE Name =~ 'rclone' 
   OR (Name =~ 'vssadmin.exe' AND CommandLine =~ 'delete shadows')

-- Check for file extensions associated with Rhysida encryption (if applicable)
-- Note: Rhysida often uses .rhysida extension, adjust if new variants emerge
SELECT FullPath, Mtime, Size, Mode
FROM glob(globs='/*\*.rhysida', root=('/') )
LIMIT 50

Remediation Script (PowerShell)

PowerShell

<#
.SYNOPSIS
    Incident Response Script for Rhysida Ransomware Containment
.DESCRIPTION
    Isolates the host, kills common Rhysida processes (rclone), and audits Shadow Copy status.
#>

Write-Host "[!] Starting Rhysida Containment Protocol..." -ForegroundColor Yellow

# 1. Kill known malicious processes used by Rhysida
$maliciousProcesses = @("rclone", "vssadmin")
foreach ($proc in $maliciousProcesses) {
    Get-Process -Name $proc -ErrorAction SilentlyContinue | Stop-Process -Force
    Write-Host "[-] Terminated process: $proc" -ForegroundColor Red
}

# 2. Disable Network Interfaces to prevent further exfiltration (Isolation)
# WARNING: Verify remote access requirements before running in production
Get-NetAdapter | Where-Object { $_.Status -eq 'Up' } | Disable-NetAdapter -Confirm:$false
Write-Host "[-] Network adapters disabled to contain exfiltration." -ForegroundColor Red

# 3. Check for Shadow Copy existence
$vssStatus = vssadmin list shadows
if ($vssStatus -like "*No shadow copies*") {
    Write-Host "[!] ALERT: No Shadow Copies found. Deletion likely successful." -BackgroundColor Red
} else {
    Write-Host "[+] Shadow Copies exist. Preserve disk state for forensics." -ForegroundColor Green
}

Write-Host "[!] Containment complete. initiate IR plan." -ForegroundColor Cyan

Remediation

Immediate Isolation: Disconnect impacted systems from the network immediately to halt ongoing encryption (500GB suggests a slow, methodical exfiltration process that may still be active on other nodes).
Credential Reset: Assume full compromise of Active Directory credentials. Reset all privileged account passwords and enforce MFA for all users, specifically targeting VPN and remote access portals.
Block Rclone: If not required for business operations, block the execution of rclone.exe via Application Whitelisting (AppLocker) or EDR policies.
Vendor Advisory & Patches: While no specific CVE was disclosed for this entry, audit external-facing VPNs (Fortinet, Cisco, Citrix) and RDP gateways for unpatched vulnerabilities, as Rhysida frequently exploits these.
Data Restoration: Restore encrypted data from offline backups. Do not pay the ransom, as decryption tools for Rhysida are not consistently reliable and payment funds further criminal activity.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub