HHS Warns Healthcare Industry of Pysa Ransomware Threats

Access Management, Business Continuity Management/Disaster Recovery, Critical Infrastructure Security

The alert comes as healthcare entities around the world continue to battle cyberattacks and the fallout

Marianne Kolbasuk McGee (HealthInfoSec) •
January 10, 2022

U.S. government authorities are warning healthcare entities of growing threats involving The Pysa ransomware and the cybercriminal gang Mespinoza – also known as Gold Burlap and Cyborg Spider – which exploits the malware variant.

See also: Live Webinar | How to stop the four horsemen of the data loss apocalypse

In an alert, the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center, or HC3, warns that since 2018, the cybercrime group Mespinoza has a history of targeting many industries, including including health, and continues to develop its abilities and increase its targeting frequency.

“Pysa is used to target sectors such as education, utilities, transportation, construction, business services and, specifically, the healthcare and public health sector,” writes HC3.

“Although the Pysa variant has only been known since December 2019, it has quickly become one of the most prolific threats to healthcare,” says HC3.

“In 2020, it was one of the top ten ransomware variants used to target healthcare…beating many other well-known variants such as Clop, LockBit, Nemty, RagnarLocker, Avaddon, MountLocker, and SunCrypt.”

Aggressive group

HC3 notes that the Cyber ​​Peace Institute based in Geneva, Switzerland, an independent non-governmental organization, has found Pysa to be one of the most aggressive ransomware groups in targeting healthcare over the past two years. .

“Furthermore, they noted that unlike some cybercrime groups that have made public promises to refrain from targeting healthcare during the pandemic or others that have simply made no statement, Pysa specifically threatened health care and then delivered on those promises,” says HC3.

Mespinoza operates a leak site called Pysa’s Partners, which it uses to leverage “name and shame” tactics to apply additional pressure to coerce victims into paying ransoms, HC3 says.

Additionally, unlike many other cybercrime groups in recent times, Mespinoza is not known to operate as a ransomware as a service, HC3 states. The top five countries targeted by Pysa ransomware attackers are the United States, United Kingdom, Canada, Spain, and Brazil.

“Mespinoza is likely closed and indiscriminately targeted RaaS,” says Brett Callow, threat analyst at security vendor Emsisoft.

“Some of the posts on their leaked site are quite juvenile, possibly indicating that the people behind the operation are younger,” he says.

According to Callow, among the healthcare organizations appearing on the Pysa leak website following ransomware attacks over the past two years were the Las Vegas Cancer Center and Assured Imaging. “[Mespinoza’s] other victims include local governments, schools, charities and hospices,” he says.

Other Incidents

The HC3 Pysa ransomware threat alert comes as healthcare entities in the United States continue to face an assortment of ransomware and other cyberattacks, including fallout from incidents that occurred towards the end of 2021.

For example, as of Monday, the Maryland Department of Health had still not fully recovered from a cyberattack detected on December 4. The ministry has not publicly stated whether the incident involved ransomware (see: Maryland Health Department systems are still affected by the incident).

On its website Monday, the state health department said about 95% of state-level surveillance data had been restored since the incident. “MDH continues to work to restore the full COVID-19 data set.


The Washington Post reported Friday that Maryland state health workers are still unable to use their computers, access shared drives and obtain important health data after the December attack.

Maryland Department of Health Statement

The Maryland Department of Health, in a statement provided Monday to Information Security Media Group, said the organization was continuing its recovery efforts.

“Restoring network systems remains a priority for MDH and over the past week work has continued in this area. Our teams and partners have been working almost around the clock to ensure that the systems supporting the Human health and safety functions are prioritized for assessment and restoration,” the statement said.

“It is important to note that our methodical approach to restoration means that every MDH system that has been taken offline must first be assessed before it can be restored or brought back online. This assessment process is essential to protect the integrity of MDH’s systems and data. They contend. The criminal investigation into this incident is ongoing. Again, our investigation found no evidence to confirm that any data was accessed or acquired as a result of this incident.

In recent days, the Maryland Board of Nursing resumed online licensing and licensing searches through its website, the statement said.

“MDH continues to thoroughly assess the critical systems involved in the security incident and identify the processes needed to support recovery. This is a time consuming process as the incident affected multiple systems MDH continues to work with law enforcement as well as other federal and state agencies to facilitate interagency response efforts.

The Maryland Department of Health did not immediately respond to ISMG’s request for more details on the incident, including whether it involved ransomware.


“Recovering from a ransomware attack can be complex and time-consuming – more than organizations sometimes realise,” says Callow. “It is absolutely essential that recovery and continuity be tested periodically, with the aim of minimizing downtime and disruption.”

Global threats

Meanwhile, it’s not just US-based healthcare entities battling ransomware and other major cyberattacks. The Bangkok Post reported on Monday that around 39 million alleged Siriraj Hospital patient records have been put up for sale on an internet database sharing forum in what appears to be the latest cyberattack on the healthcare industry. public of the country.

In addition, the Indonesian Ministry of Health reportedly said last week that it was investigating an alleged data breach involving one of its centralized servers and reported that 6 million patient records were allegedly stolen to be sold on the dark. web.

To take part

There are critical steps healthcare entities, including supply chain partners, can take to defend against the next ransomware victim, says Curt Miller, executive director of the Electronic Standards Committee of Health Care Supply Chain Association.

He says employee training and credential management are key, and the IT team needs to ensure they use network segmentation and whitelisting with zero trust wherever possible, in order to reduce the potential risk of access by threat actors.

Comments are closed.