FBI and CISA Issue Alert on Rhysida Ransomware Attacks

November 15, 2023

The FBI and CISA have issued an advisory warning of the Rhysida ransomware gang's opportunistic attacks on organizations across multiple sectors. Rhysida, a ransomware operation that emerged in May 2023, quickly became notorious after it breached the Chilean Army and leaked stolen data on the internet. The US Department of Health and Human Services also recently warned that the Rhysida gang was behind recent attacks on healthcare organizations.

Today's joint cybersecurity advisory provides defenders with indicators of compromise, information on detection, and details of Rhysida's tactics, techniques, and procedures discovered during investigations as of September 2023. The agencies noted, "Threat actors leveraging Rhysida ransomware are known to impact 'targets of opportunity,' including victims in the education, healthcare, manufacturing, information technology, and government sectors." Rhysida operates as a ransomware-as-a-service model, with its actors compromising organizations in various sectors and sharing any ransom paid with the group and its affiliates.

Rhysida attackers have been found to hack into remote services such as VPNs using stolen credentials to gain initial access and maintain a presence within victims' networks. This has been possible when targeting organizations that do not have Multi-Factor Authentication enabled across their environment by default. Additionally, Rhysida malicious actors are known for phishing attacks and exploiting Zerologon (CVE-2020-1472), a critical vulnerability that allows for Windows privilege escalation within Microsoft's Netlogon Remote Protocol.

The FBI and CISA also note that affiliates associated with the Vice Society ransomware group, tracked by Microsoft as Vanilla Tempest or DEV-0832, have transitioned to using Rhysida ransomware payloads during their attacks. This shift was observed by Sophos, Check Point Research, and PRODAFT research around July 2023, shortly after Rhysida began adding victims to its data leak website.

Network defenders are advised to apply the mitigations outlined in today's joint advisory to reduce the likelihood and severity of ransomware incidents like Rhysida. This includes prioritizing the patching of vulnerabilities under active exploitation, enabling MFA across all services, particularly for webmail, VPN, and critical system accounts, and using network segmentation to block attempts at lateral movement.

Related News

• Cuba Ransomware Group's Sophisticated Cyberattack Techniques Unveiled
• Cuba Ransomware Gang Exploits Veeam Vulnerability in Attacks on U.S. Critical Infrastructure
• New BlackCat Ransomware Variant Incorporates Advanced Impacket and RemCom Tools
• Chinese APT15 Revives for Espionage on Foreign Ministries
• BianLian Ransomware Group Targets Critical Infrastructure Organizations

Latest News

• Critical Unpatched Authentication Bypass Vulnerability Affects VMWare's Cloud Director Appliance
• Microsoft's November 2023 Patch Tuesday Addresses 58 Flaws Including 5 Zero-Days
• Microsoft Patches Critical Azure CLI Vulnerability Leaking Credentials
• CISA Adds Five Juniper Vulnerabilities to Known Exploited Vulnerabilities Catalog
• LockBit Ransomware Group Leaks Boeing's Data After Ransom Refusal