Tech Support
Documentation
Login
Contact Us
FBI And CISA Warn Of Rhysida Ransomware Threat
Wajahat Raja
November 27, 2023 - TuxCare expert team
The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a warning against the Rhysida ransomware threat. As per the FBI and CISA warning, it has been noted that threat actors are launching attacks targeting organizations spread across varying industries.
Today, we’ll share with you all the threat intelligence on Rhysida to ensure that you’re well-equipped to protect your organization.
Rhysida Ransomware Threat Intelligence Reports
Research conducted by Kaspersky has revealed that Rhysida threat actors use an info stealer malware called Lumar to carry out ransomware attacks. The info stealer is capable of extracting different types of data, which may include:
- Passwords.
- Cookies.
- Telegram sessions.
- Desktop files.
- Cryptocurrency.
Cybersecurity threat intelligence reports also reveal that the malware, crafted in C++, is capable of bypassing detection protocols even on the latest operating systems like Windows 11. It’s worth noting that Rhysida can encrypt Active Directories, allowing attackers to demand a ransom for decryption.
Further research from Forta has unveiled that the Rhysida team was actively targeting healthcare companies. The potential damage that can occur from falling prey to Rhysida is highly severe. That said, adhering to cybersecurity best practices has now become a necessity for organizations regardless of their industries.
FBI-CISA Joint Warning
A ransomware attacks alert states they’ve expanded their target in recent months. An excerpt from the advisory report reads: “Observed as a ransomware-as-a-service (RaaS) model, Rhysida actors have compromised organizations in education, manufacturing, information technology, and government sectors, and any ransom paid is split between the group and affiliates.”
In addition, reports have described the group as one that engages in opportunistic attacks. These threat actors are known for leveraging living-off-the-land (LotL) techniques to breach targets, establish a virtual private network (VPN) access, and conduct lateral movement to further expand the attack surface.
Those vulnerable to such threats must understand that the concept behind this approach is to blend in with legitimate network and Windows system activities. Once blended in, threat actors are able to eliminate the possibility of being detected by cybersecurity incident response teams.
Rhysida Ransomware Advisory – Attack Details
Online attacks conducted by Rhysida first surfaced earlier in May 2023. It is believed that these threat actors leverage external-facing remote services such as VPNs, the Zerologon vulnerability (CVE-2020-1472), and phishing campaigns to gain access to the network.
After gaining access to an organizational network and data, Rhysida then uses a double extortion technique. Those who fall prey to the attacks either have to pay the ransom or face the threat of the stolen data being published.
The threat actor is suspected to have overlaps with another ransomware group, Vice Society, given the similarities in targeting and attack tactics. Prior to developing ransomware defense strategies, security professionals must know what sets Rhysida apart.
The ransomware group operates like an IT company while maintaining a structured employee base. In addition, these threat actors follow strict guidelines to conceal their operations and carry out operations using the Tor network.
Conclusion
The FBI and CISA have issued an alert pertaining to a ransomware group called Rhysida that’s targeting organizations across varying sectors. The group is known for exploiting CVE-2020-1472, utilizing phishing techniques, and employing double extortion.
Given the severity of the attack and its damages, protecting against ransomware and learning how to recover from it are both essential for businesses looking to improve their security posture and safeguard their network.
The sources for this piece include articles in The Hacker News and Cybersecurity Insiders.
