Rhysida Ransomware Group Claims Attack on China Energy Engineering Corporation

November 25, 2023

The Rhysida ransomware group has announced a cyberattack on the China Energy Engineering Corporation (CEEC), a prominent state-owned energy company in China. The company has a significant presence in the energy and infrastructure sectors, participating in the development and construction of a variety of energy projects. These projects span coal, hydropower, nuclear, and renewable energy initiatives, both domestically and internationally.

The ransomware group has claimed to have exfiltrated a significant amount of 'impressive data' and is currently auctioning it for 50 Bitcoin (BTC). The data is intended to be sold to a single buyer, with the group planning to publicly release the data over the seven days following the announcement.

Recently, the British Library was added to the Rhysida ransomware group's list of victims on its Tor leak site. In response to these attacks, the FBI and CISA issued a joint Cybersecurity Advisory (CSA) to caution about Rhysida ransomware attacks. This advisory is a part of the ongoing #StopRansomware initiative, which provides information about the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with ransomware groups. The advisory includes IOCs and TTPs identified through investigations conducted as recently as September 2023.

The Rhysida ransomware group has been operational since May 2023. According to the group’s Tor leak site, at least 62 companies have fallen victim to their operations. The group has targeted organizations across various industries, including education, healthcare, manufacturing, information technology, and government. The group's victims are classified as 'targets of opportunity.'

The joint advisory states, 'Threat actors leveraging Rhysida ransomware are known to impact “targets of opportunity,” including victims in the education, healthcare, manufacturing, information technology, and government sectors. Open source reporting details similarities between Vice Society (DEV-0832)[1] activity and the actors observed deploying Rhysida ransomware.' Furthermore, it was noted that Rhysida actors operate in a ransomware-as-a-service (RaaS) model, renting out ransomware tools and infrastructure in a profit-sharing arrangement. Any ransoms paid are then divided between the group and its affiliates.

Rhysida actors exploit external-facing remote services like VPNs and RDPs to gain initial access to the target network and ensure persistence. They used compromised credentials to authenticate to internal VPN access points. The advisory also notes that the threat actors have exploited Zerologon (CVE-2020-1472) in Microsoft’s Netlogon Remote Protocol in their phishing attempts. They also rely on living off-the-land techniques, using built-in network administration tools to execute malicious operations.

Related News

• FBI and CISA Issue Alert on Rhysida Ransomware Attacks
• Cuba Ransomware Group's Sophisticated Cyberattack Techniques Unveiled
• Cuba Ransomware Gang Exploits Veeam Vulnerability in Attacks on U.S. Critical Infrastructure
• New BlackCat Ransomware Variant Incorporates Advanced Impacket and RemCom Tools
• Chinese APT15 Revives for Espionage on Foreign Ministries

Latest News

• Critical Security Flaws in ownCloud File Sharing App Could Expose Admin Passwords
• Critical Microsoft Excel Vulnerability Exposed: Details on CVE-2023-36041
• Welltok Data Breach Affects 8.5 Million Patients: A Result of MOVEit Transfer Software Vulnerability
• Data Breach at AutoZone: 185,000 Customers Impacted by MOVEit Hack
• Urgent Warnings Issued on CitrixBleed Exploitation by LockBit Ransomware Gang