The Rhysida ransomware group [1] [2], which has been targeting various organizations across different sectors since May 2023 [1], has recently been the subject of a joint Cybersecurity Advisory released by the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). This advisory [1] [3] [4], part of the #StopRansomware initiative [1], provides valuable information on the methods used by the Rhysida group and the risks they pose.
Description
The Rhysida ransomware group engages in opportunistic attacks targeting organizations in sectors such as health care [2], education [2] [3] [4] [5] [6], manufacturing [2] [3] [4] [5] [6], information technology [4] [6], and government [2] [3] [4] [5] [6]. They operate as a ransomware-as-a-service (RaaS) model and specifically target organizations in these sectors [4], as well as health care. To gain initial access and persistence within a network [4], the attackers utilize external-facing remote services such as virtual private networks (VPNs) [4], the Zerologon vulnerability (CVE-2020-1472) [2] [4], and phishing campaigns [2] [3] [4]. Rhysida employs double extortion tactics [2], demanding ransom payments while also threatening to publish exfiltrated data [2]. Additionally, the group shares similarities with another ransomware crew known as Vice Society. In October 2023 alone [2], Rhysida has claimed five victims [2], resulting in significant disruptions and delays in health care delivery [6]. To evade detection [2], the group utilizes living-off-the-land (LotL) techniques [2].
In addition to the Rhysida ransomware group, the BlackCat ransomware gang has also been active. They employ a unique method to target corporations and public entities by using Google ads that promote popular software to lure victims to attacker-controlled websites. These ads serve as a means to deliver the initial access malware known as Nitrogen, which can then deliver ransomware. The ransomware landscape is constantly evolving [2], with new groups emerging regularly. This evolution is fueled by the cross-pollination of skills and resources among ransomware gangs.
Conclusion
The Rhysida ransomware attacks have had significant impacts on various sectors, particularly health care, resulting in disruptions and delays in service delivery [6]. To combat this threat, organizations are strongly encouraged to review the #StopRansomware webpage and access the updated #StopRansomware Guide [4], which includes recommended mitigations [4]. The joint Cybersecurity Advisory released by the FBI and CISA provides valuable information based on incident response investigations and malware analysis. It is crucial for organizations to stay informed and implement these mitigations to reduce the likelihood and impact of Rhysida and other ransomware incidents. As the ransomware landscape continues to evolve, it is important for organizations to remain vigilant and adapt their cybersecurity measures accordingly.
References
[1] https://heimdalsecurity.com/blog/fbi-and-cisa-issue-advisory-on-rhysida-ransomware/
[2] https://thehackernews.com/2023/11/cisa-and-fbi-issue-warning-about.html
[3] https://www.waterisac.org/portal/joint-cybersecurity-advisory-%E2%80%93-stopransomware-rhysida-ransomware
[4] https://www.cisa.gov/news-events/alerts/2023/11/15/cisa-fbi-and-ms-isac-release-advisory-rhysida-ransomware
[5] https://www.cybersecurity-review.com/news-november-2023/stopransomware-rhysida-ransomware/
[6] https://www.aha.org/news/headline/2023-11-15-fbi-cisa-ms-isac-warn-rhysida-ransomware-threat-hospitals
