November 15, 2023 at 12:51PM
The FBI and CISA issued a warning about the Rhysida ransomware gang, which has been targeting organizations across various sectors. Rhysida gained notoriety after breaching the Chilean Army and targeting healthcare organizations. The advisory provides indicators of compromise and tactics used by Rhysida. The gang utilizes ransomware-as-a-service (RaaS) and exploits vulnerabilities like Zerologon. Affiliates of the Vice Society ransomware group have also transitioned to using Rhysida payloads. Network defenders are advised to apply mitigations, including patching vulnerabilities and enabling multi-factor authentication.
Key takeaways from the meeting notes:
1. The Rhysida ransomware gang is actively targeting organizations across various industries.
2. The gang gained notoriety after breaching the Chilean Army and leaking stolen data.
3. The US Department of Health and Human Services has also warned about recent assaults on healthcare organizations.
4. The joint cybersecurity advisory provides defenders with indicators of compromise, detection information, and tactics used by Rhysida.
5. Rhysida ransomware affects education, healthcare, manufacturing, information technology, and government sectors.
6. The ransomware operates on a ransomware-as-a-service (RaaS) model where the group and affiliates share the ransom payments.
7. Rhysida attackers exploit vulnerabilities like stolen credentials, lack of Multi-Factor Authentication (MFA), and Zerologon (CVE-2020-1472) for Windows privilege escalation.
8. Affiliates associated with the Vice Society ransomware group have transitioned to using Rhysida ransomware payloads.
9. Various research sources have noted the shift towards Rhysida ransomware since July 2023.
10. Network defenders are advised to apply mitigations outlined in the joint advisory, including patching vulnerabilities, enabling MFA, and using network segmentation for security.