The FBI and CISA warned today of Rhysida ransomware gang’s opportunistic attacks targeting organizations across multiple industry sectors.
Rhysida, a ransomware enterprise that surfaced in May 2023, quickly gained notoriety after breaching the Chilean Army (Ejército de Chile) and leaking stolen data online.
Recently, the US Department of Health and Human Services (HHS) also warned that the Rhysida gang was responsible for recent assaults on healthcare organizations.
Today’s joint cybersecurity advisory provides defenders with indicators of compromise (IOCs), detection info, and Rhysida tactics, techniques, and procedures (TTPs) discovered during investigations as of September 2023.
“Threat actors leveraging Rhysida ransomware are known to impact ‘targets of opportunity,’ including victims in the education, healthcare, manufacturing, information technology, and government sectors,” the two agencies noted.
“Observed as a ransomware-as-a-service (RaaS) model, Rhysida actors have compromised organizations in education, manufacturing, information technology, and government sectors and any ransom paid is split between the group and affiliates.”
Rhysida attackers have also been detected hacking into external-facing remote services (like VPNs that allow enterprise users to access company assets from external locations) using stolen credentials to establish initial access and maintain a presence within victims’ networks.
This was possible when targeting organizations that didn’t have Multi-Factor Authentication (MFA) enabled by default across their environment.
Furthermore, Rhysida malicious actors are known for phishing attacks and exploiting Zerologon (CVE-2020-1472), a critical vulnerability enabling Windows privilege escalation within Microsoft’s Netlogon Remote Protocol.
The FBI and CISA add that affiliates associated with the Vice Society ransomware group, tracked by Microsoft as Vanilla Tempest or DEV-0832, have transitioned to using Rhysida ransomware payloads during their attacks.
Sophos, Check Point Research, and PRODAFT research have noted this shift occurring approximately in July 2023, right after Rhysida first began adding victims to its data leak website.
Network defenders are advised to apply mitigations outlined in today’s joint advisory to minimize the likelihood and severity of ransomware incidents like Rhysida.
At the very least, it is crucial to prioritize patching vulnerabilities under active exploitation, enabling MFA across all services (particularly for webmail, VPN, and critical system accounts), and using network segmentation to block lateral movement attempts.