The FBI and CISA have issued an advisory warning of the Rhysida ransomware gang's opportunistic attacks on organizations across multiple sectors. Rhysida, a ransomware operation that emerged in May 2023, quickly became notorious after it breached the Chilean Army and leaked stolen data on the internet. The US Department of Health and Human Services also recently warned that the Rhysida gang was behind recent attacks on healthcare organizations.
Today's joint cybersecurity advisory provides defenders with indicators of compromise, information on detection, and details of Rhysida's tactics, techniques, and procedures discovered during investigations as of September 2023. The agencies noted, "Threat actors leveraging Rhysida ransomware are known to impact 'targets of opportunity,' including victims in the education, healthcare, manufacturing, information technology, and government sectors." Rhysida operates as a ransomware-as-a-service model, with its actors compromising organizations in various sectors and sharing any ransom paid with the group and its affiliates.
Rhysida attackers have been found to hack into remote services such as VPNs using stolen credentials to gain initial access and maintain a presence within victims' networks. This has been possible when targeting organizations that do not have Multi-Factor Authentication enabled across their environment by default. Additionally, Rhysida malicious actors are known for phishing attacks and exploiting Zerologon (CVE-2020-1472), a critical vulnerability that allows for Windows privilege escalation within Microsoft's Netlogon Remote Protocol.
The FBI and CISA also note that affiliates associated with the Vice Society ransomware group, tracked by Microsoft as Vanilla Tempest or DEV-0832, have transitioned to using Rhysida ransomware payloads during their attacks. This shift was observed by Sophos, Check Point Research, and PRODAFT research around July 2023, shortly after Rhysida began adding victims to its data leak website.
Network defenders are advised to apply the mitigations outlined in today's joint advisory to reduce the likelihood and severity of ransomware incidents like Rhysida. This includes prioritizing the patching of vulnerabilities under active exploitation, enabling MFA across all services, particularly for webmail, VPN, and critical system accounts, and using network segmentation to block attempts at lateral movement.