The Cookville Regional Medical Center (CRMC), serving the surrounding Tennessee and Kentucky regions, is still struggling to recover from a July 13th ransomware attack claimed over the weekend by the Rhysida gang.
-
The Rhysida ransomware group has posted the Cookeville Regional Medical Center on its dark leak site, two weeks after the inital attack.
-
The medical center says IT teams are working around the clock, but has not said if patient health data was compromised, even though Rhysida has posted over a dozen samples on its leak site.
-
Although some delays have been reported and complaints have been made on social media, the hospital says patient care has largely remained unaffected.
Announcing the outage to patients on its website, the major medical facility said it first became aware of the “unusual activity, which created a technical outage on July 13, 2025″ and that the “network security incident has disrupted some of the medical center’s computer systems.”
The center was listed on the Rhysida dark leak site on August 2nd, more than two weeks after CRMC said it discovered the breach, leading Cybernews to believe negotiations between the hospital and the cybercriminals have since broken down.
Posted on its live “Auction” tab, the ransomware group has given the hospital just over 4 days to purportedly pay an undisclosed ransom demand, before it will sell the hospital’s data for an asking price of 10 BTC, worth about $1,150,000.
The Cookville Regional Medical Center serves about 250,000 patients annually across 14 counties in the Upper Cumberland region of Tennessee, extending into Kentucky. According to its website, CRMC has over 2,500 employees, 175 physicians, and offers more than 40 medical and surgical specialties.
Since confirming a ransomware attack, hospital officials say their Information System (IS) Security Team has “been working around the clock to restore the affected systems and services.”
“The IS security team has been here 24 hours a day. We greatly appreciate everyone’s patience during this process,” said Tim McDermott, CRMC Chief Information Officer.
“We take this matter seriously, and we are working with outside IT experts to investigate the issue. This investigation is ongoing,” McDermott said, noting that federal law enforcement was also notified.
Rhysida posted a sampling of an alleged cache of about fifteen stolen documents, which Cybernews could view. The samples contain what appears to be several driver’s licenses, a plethora of patient medical files, employee tax documents, and various financial documents, with some documents from 2018.
Cookeville Regional said it would release updates when appropriate and notify patients if investigators discovered their data was “accessed or acquired without authorization.”
“The privacy and security of every patient’s information is one of CRMC’s top priorities,” it said.
Limited disruptions to patient care
Miraculously, in its last statement posted to Facebook (July 15th), Cookville Regional CEO Buffy Key stated that “patient care has not been affected, even though technology, scheduling, etc. have been slow.”
“Our team has stayed grounded in making sure we see patients and care for them. That is always the priority,” the CEO said, adding, “there are many questions all of us would like to know the answers to, and those will be answered in time, we do believe.”
However, delays for test results, including X-rays, have been reported, as well as cancelled appointments and problems scheduling surgeries at many of the facilities’ outpatient offices.
Patients commenting on Facebook had mixed reviews on how CRMC and its staff are handling the situation. And, so far, CRMC has not provided an estimated restoration date on its website since its initial public statement posted last month.
One patient called the communication “terrible,” claiming 40 people had to wait more than 8 hours for test results. “When these things happen, you need to provide updates to those waiting for results in ER,” they said.
Other patients reported no issues with care: “I was there Tuesday to get checked out by labor and delivery, and everyone was fantastic. Never would have known there was an issue going on, thankfully.”
Besides the possible leak of sensitive patient data, uncontrolled disruptions to patient care are one of the main factors ransomware groups will rely on to pressure medical facilities into forking over a ransom demand, as it can often take weeks to restore network systems, leaving vulnerable patients’ lives at risk.
Rhysida doubles victim count
The Russian-affiliated Rhysida group has claimed more than 200 victims on its dark blog since its inception in May 2023, nearly doubling their victim count over the past 12 months.
The gang is known for going after “targets of opportunity” and has infiltrated various sectors, including education, healthcare, manufacturing, and local governments, according to an updated US Defense Department profile on the gang from last November.
In May, the group claimed to have infiltrated the servers of the South American government of Peru, and earlier this year, targeted the government of Montreal-Nord in Quebec province, asking the Canadian borough to pay out a $1 million (10 BTC) ransom demand.
A February 2024 Trend Micro profile on the group revealed the threat actor often gains initial access to its victims using phishing attacks and, in the past, has “posed as a cybersecurity team that offered to help its victims identify security weaknesses in their networks and systems,” the researchers said.
Once inside a network, the Rhysida cartel is known to seek system vulnerabilities using Cobalt Strike pen-testing tools, launching its namesake ransomware to encrypt a victim’s system.
The Vice Society ransomware group has been linked to Rhysida through similar tactics, techniques, and procedures (TTPs) and by using Rhysida’s ransomware as an affiliate, purportedly splitting a portion of its earnings with the gang.
In fall 2024, Rhysida also made headlines targeting (and taunting) the Seattle-Tacoma International Airport with a 100 BTC (roughly $11 million) ransom demand after an attack that caused a weeks-long systemwide outage at the busy West Coast hub.
Last July, Rhysida successfully targeted the City of Columbus, Ohio, triggering weeks-long outages of city services and the reconstruction of the city’s official website.
Other previous victims include The Washington Times, the Easterseals international charity, the UK’s national British Library, the Anne & Robert H. Lurie Children’s Hospital in Chicago, and the Prospect Medical Group network of US hospitals and healthcare facilities.
Last February, a research team from the Korea Internet & Security Agency (KISA) was able to crack the gang’s encryption code and shared a free Rhysida Decryption Tool and manual on its website.
”>
