November 16, 2023 at 08:12AM
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and MS-ISAC have issued an advisory about the Rhysida ransomware. The threat actors behind Rhysida use a ransomware-as-a-service model and target organizations in various sectors. They exploit VPNs, the Zerologon vulnerability, and phishing campaigns to gain access to networks. Rhysida uses the tactic of double extortion and has overlaps with a ransomware crew called Vice Society. The group blends in with legitimate Windows systems and network activities to evade detection.
Key Takeaways from the Meeting Notes:
1. The Rhysida ransomware group engages in opportunistic attacks across various industries, including education, manufacturing, information technology, and government sectors.
2. They operate on a ransomware-as-a-service (RaaS) model, where ransom payments are split between the group and affiliates.
3. Rhysida actors gain initial access and persistence within a network by leveraging external-facing remote services, such as virtual private networks (VPNs), Zerologon vulnerability (CVE-2020-1472), and phishing campaigns.
4. Rhysida uses the double extortion tactic, demanding ransom payment and threatening to publish exfiltrated data if the ransom is not paid.
5. There are overlaps between Rhysida and Vice Society ransomware crews, including similar targeting patterns and the use of specific tools.
6. Malwarebytes statistics show that Rhysida has claimed five victims in October 2023, lagging behind other ransomware groups like LockBit, NoEscape, PLAY, ALPHV/BlackCat, and 8BASE.
7. The group employs living-off-the-land (LotL) techniques to facilitate lateral movement and establish VPN access, aiming to blend in with legitimate Windows systems and network activities.
8. Previous research from Sophos suggests that Vice Society switched to deploying Rhysida in June 2023.
9. The BlackCat ransomware Gang is currently targeting corporations and public entities using Google ads infected with Nitrogen malware.
10. Other examples of ransomware-associated initial access malware leveraging browser-based attacks include GootLoader, SocGholish, BATLOADER, and Nitrogen.
11. The ransomware landscape is constantly evolving, with new groups emerging this year. Some of them may cross-pollinate with older groups, sharing proprietary resources like code and tools.
12. Follow the social media accounts of the company for more exclusive content.