HQ/EMEAFind out how we can help your business
Federal law enforcement agencies have raised an alert regarding the threat of Rhysida ransomware attacks. The opportunistic nature of these operations has seen the Rhysida gang targeting organisations spanning multiple industries, leaving behind numerous compromised systems and data breaches.
The joint advisory, issued by the FBI and CISA, allows defenders to acquire crucial information, including indicators of compromise (IOCs), detection details, and the tactics, techniques, and procedures (TTPs) employed by Rhysida operators.
The primary technique the Rhysida ransomware campaign uses is leveraging a RaaS model.
The modus operandi of the Rhysida ransomware group involves a ransomware-as-a-service (RaaS) model, where they compromise organisations across education, healthcare, manufacturing, information technology, and government sectors.
Moreover, this gang divides any ransom paid to its affiliates evenly, highlighting the complex and interconnected nature of the criminal enterprise.
One alarming trend the FBI and CISA identified is the Rhysida gang’s competence at hacking into external-facing remote services. These attackers could establish initial access and persistence to a victim’s network by exploiting stolen credentials and targeting organisations that lack Multi-Factor Authentication (MFA).
Furthermore, Rhysida malicious actors have been executing phishing attacks and leveraging the critical vulnerability known as Zerologon (CVE-2020-1472). This vulnerability in the Windows privilege escalation within Microsoft’s Netlogon Remote Protocol allows these hackers to acquire another way of breaching targeted networks.
The advisory also linked the Rhysida group to the Vice Society ransomware group, also known as Vanilla Tempest or DEV-0832. This connection became apparent after the latter group started employing Rhysida ransomware payloads in their attacks.
Network defenders should implement the mitigations outlined in the joint advisory to address these escalating threats. These measures include promptly patching vulnerabilities under active exploitation, enforcing MFA across all services (especially for webmail, VPN, and critical system accounts), and employing network segmentation to prevent lateral movement attempts.
As Rhysida ransomware continues to evolve and target organisations across various sectors, the collaboration between law enforcement agencies, cybersecurity experts, and businesses should also keep up. Staying vigilant and implementing robust cybersecurity measures is crucial in the ongoing battle against these opportunistic cybercriminal groups.
