Rhysida attacks Kuwait Ministry of Finance

The Rhysida ransomware gang has attacked the Kuwait Ministry of Finance. The Kuwait Ministry of Finance is a government department in the State of Kuwait responsible for overseeing and managing the country's financial and economic affairs. Rhysida posted the Kysida uwait Ministry of Finance to its data leak site on September 26th, demanding a $370,000 ransom by October 2nd for the safe return of stolen data. Rhysida is a RaaS that was first observed on May 17, 2023, Rhysida has been observed deploying Cobalt Strike or similar command-and-control frameworks and abusing PSExec for lateral movement, dropping PowerShell scripts, and for payload delivery. They engage in data exfiltration for double extortion and maintain both a leaks site and a victim support portal on TOR. They are thought to be responsible for attacks against the Chilean military and more recently against Prospect Medical Holdings which impacted services at hundreds of clinics and hospitals across the US.‍ Rhysida has been steadily increasing their attack volume and continuing to expand the targeted industries, but volume is modest compared to leaders. Rhysida appears to be opportunistic attackers with a similar victimology as Vice Society.‍ IT remains unclear how much Rhysida operators typically demand for a ransom payment at this time. Rhysida appears to have a fairly advanced RaaS offering, with capabilities that include advanced evasion techniques that can bypass antivirus protection, the wiping of Volume Shadow Copies (VSS) to prevent rollback of the encryption, and the ability to modify Remote Desktop Protocol (RDP) configuration. Rhysida employs 4096-bit RSA key and AES-CTR for file encryption.‍ Rhysida does not appear to be targeting Linux systems, maintaining a focus on Windows targets. TTPs are similar to those of Vice Society, which has been less active as Rhysida has emerged. Rhysida has been observed targeting the healthcare, education, government, manufacturing, and tech industries.‍ Rhysida operators purport to be a “cybersecurity team” conducting unauthorized “penetration testing” to ostensibly “help” victim organizations identify potential security issues and secure their networks. The subsequent ransom demand is viewed as “payment” for their services.