ClickCease FBI And CISA Warn Of Rhysida Ransomware Threat

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

FBI And CISA Warn Of Rhysida Ransomware Threat

Wajahat Raja

November 27, 2023 - TuxCare expert team

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a warning against the Rhysida ransomware threat. As per the FBI and CISA warning, it has been noted that threat actors are launching attacks targeting organizations spread across varying industries. 

Today, we’ll share with you all the threat intelligence on Rhysida to ensure that you’re well-equipped to protect your organization.


Rhysida Ransomware Threat Intelligence Reports

Research conducted by Kaspersky has revealed that Rhysida threat actors use an info stealer malware called Lumar to carry out ransomware attacks. The info stealer is capable of extracting different types of data, which may include: 

  • Passwords.
  • Cookies.
  • Telegram sessions.
  • Desktop files.
  • Cryptocurrency. 

Cybersecurity threat intelligence reports also reveal that the malware, crafted in C++, is capable of bypassing detection protocols even on the latest operating systems like Windows 11. It’s worth noting that Rhysida can encrypt Active Directories, allowing attackers to demand a ransom for decryption.

Further research from Forta has unveiled that the Rhysida team was actively targeting healthcare companies. The potential damage that can occur from falling prey to Rhysida is highly severe. That said, adhering to cybersecurity best practices has now become a necessity for organizations regardless of their industries. 

FBI-CISA Joint Warning 

ransomware attacks alert states they’ve expanded their target in recent months. An excerpt from the advisory report reads: “Observed as a ransomware-as-a-service (RaaS) model, Rhysida actors have compromised organizations in education, manufacturing, information technology, and government sectors, and any ransom paid is split between the group and affiliates.” 

In addition, reports have described the group as one that engages in opportunistic attacks. These threat actors are known for leveraging living-off-the-land (LotL) techniques to breach targets, establish a virtual private network (VPN) access, and conduct lateral movement to further expand the attack surface. 

Those vulnerable to such threats must understand that the concept behind this approach is to blend in with legitimate network and Windows system activities. Once blended in, threat actors are able to eliminate the possibility of being detected by cybersecurity incident response teams.  

Rhysida Ransomware Advisory – Attack Details  

Online attacks conducted by Rhysida first surfaced earlier in May 2023. It is believed that these threat actors leverage external-facing remote services such as VPNs, the Zerologon vulnerability (
CVE-2020-1472), and phishing campaigns to gain access to the network. 

After gaining access to an organizational network and data, Rhysida then uses a double extortion technique. Those who fall prey to the attacks either have to pay the ransom or face the threat of the stolen data being published. 

The threat actor is suspected to have overlaps with another ransomware group, Vice Society, given the similarities in targeting and attack tactics. Prior to developing ransomware defense strategies, security professionals must know what sets Rhysida apart. 

The ransomware group operates like an IT company while maintaining a structured employee base. In addition, these threat actors follow strict guidelines to conceal their operations and carry out operations using the Tor network. 


The FBI and CISA have issued an alert pertaining to a ransomware group called Rhysida that’s targeting organizations across varying sectors. The group is known for exploiting CVE-2020-1472, utilizing phishing techniques, and employing double extortion.

Given the severity of the attack and its damages, protecting against ransomware and learning how to recover from it are both essential for businesses looking to improve their security posture and safeguard their network.

The sources for this piece include articles in The Hacker News and Cybersecurity Insiders.


FBI And CISA Warn Of Rhysida Ransomware Threat
Article Name
FBI And CISA Warn Of Rhysida Ransomware Threat
Gain critical insights pertaining to the Rhysida ransomware threat. Safeguard your systems and stay protected!
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter