Rhysida Ransomware Emerges as Latest RaaS Threat Group (Q2-3 2023)
Rhysida is a new ransomware-as-a-service group that leverages phishing and Cobalt Strike exploits to access victim networks and deploy ransomware.
Rhysida ransomware group is the latest threat group to target victims worldwide and publish stolen files online, the Health Sector Cybersecurity Coordination Center (HC3) warned in a threat brief.
The ransomware-as-a-service (RaaS) group emerged in May 2023, using phishing attacks and other tactics to gain network access and drop malicious payloads. Rhysida is still in the early stages of development but has already launched attacks across Western Europe, Australia, and North and South America.
Rhysida operates a victim support chat portal and displays its victim count and current auctions on its TOR page. HC3 provided a detailed technical description of Rhysida’s encryption tactics and how it deploys its ransomware.
Dig Deeper
CISA, International Partners Identify Top Routinely Exploited Vulnerabilities
Infostealing Malware Remains Top Threat to Healthcare
Several Healthcare Data Breaches Unfold From MOVEit Transfer Cyberattack
Notably, the group is known to deploy Cobalt Strike or similar command-and-control frameworks. Other threat groups like Black Basta and FIN7 use Cobalt Strike to gain network access. As previously reported, threat actors have been known to abuse legitimate tools to advance their goals and infiltrate networks.
Rhysida shows no known connections to existing ransomware groups but has loosely aligned itself with other groups by avoiding victims in the former Soviet Republic or bloc countries in Eastern Europe and Central Asia’s Commonwealth of Independent States.
“They primarily attack education, government, manufacturing, and technology and managed service provider sectors; however, there have been recent attacks against the Healthcare and Public Health (HPH) sector,” HC3 noted.
As such, HC3 warned that healthcare organizations should remain vigilant and employ security measures to defend against this and other ransomware groups. Moreover, the group has added eight victims to its dark web data leak site since June 2023 alone and published five stolen files.
Given these developments, HC3 recommended that organizations employ phishing awareness training, network segmentation, and intrusion detection systems to defend against Rhysida. In addition, HC3 encouraged organizations to patch known vulnerabilities virtually.
“Rhysida exploits known vulnerabilities in software to gain access to systems. Virtual patching can help by providing an immediate layer of protection against known vulnerabilities that the ransomware might exploit,” the brief stated. “This is especially important when a vendor-supplied patch is not immediately available or cannot be applied immediately due to testing requirements.”
Organizations may also want to consider leveraging immutable backups, endpoint security solutions, and a principle of least privilege.
“In only a short time, Rhysida has proven to be a significant threat to organizations worldwide. With its strong encryption techniques, double extortion tactics, and a focus on multi-sector targets (military, government, education, and manufacturing), they will likely continue to pose a significant threat to these and possibly other sectors,” the brief concluded.
“By understanding the group’s TTPs, organizations can proactively protect their systems and data. This includes patching known vulnerabilities, implementing robust security measures, and training staff to recognize and avoid phishing attempts.”