FBI and CISA Issue Warning on Growing Threat of Rhysida Ransomware

The FBI and CISA have sounded a stark alarm regarding the rising threat posed by the Rhysida ransomware syndicate, known for its opportunistic attacks targeting a broad spectrum of industries.

Emerging onto the scene in May 2023, Rhysida quickly gained notoriety following breaches of the Chilean Army and subsequent data leaks. Recent alerts from the US Department of Health and Human Services also highlight Rhysida’s involvement in targeted assaults on healthcare entities.

In their joint cybersecurity advisory, released today, crucial insights have been provided to defenders, including indicators of compromise (IOCs), detection techniques, and the tactics, techniques, and procedures (TTPs) characteristic of Rhysida, as of September 2023.

The modus operandi of Rhysida involves a ransomware-as-a-service (RaaS) model, primarily impacting education, healthcare, manufacturing, information technology, and government sectors. Notably, any ransom paid is shared between the main group and its affiliates, amplifying the enterprise’s scope and reach.

Rhysida’s infiltration tactics involve exploiting vulnerabilities in remote services, particularly targeting organizations without default Multi-Factor Authentication (MFA) across their environments.

Exploiting Zerologon, a critical vulnerability in Microsoft’s Netlogon Remote Protocol, has also been observed, facilitating Windows privilege escalation.

Additionally, the transition of affiliates associated with the Vice Society ransomware group to Rhysida payloads adds complexity and sophistication to their attacks. Noted security research groups have identified this transition around July 2023, coinciding with Rhysida’s initiation of victim inclusion on its data leak platform.

To defend against Rhysida and similar threats, network defenders are strongly advised to implement the mitigation strategies outlined in the advisory. This includes immediate patching of actively exploited vulnerabilities, implementing MFA across all services, especially for critical accounts, and deploying network segmentation to impede lateral movement within networks—an essential arsenal in the battle against evolving ransomware tactics.

Defending against potential threats to Google Workspace and the Cloud Platform mandates vigilance. Implementing robust access controls, bolstered by stringent authentication practices such as regular password rotations and enabling multi-factor authentication (MFA), serves as an initial defense.

Employing network segmentation, continuous monitoring, and regular security audits help fortify resilience against potential breaches. Additionally, staying updated with security patches and ensuring employee awareness through comprehensive training programs mitigates the risk posed by evolving attack methods.