FBI and CISA Issue Joint Security Advisory on Rhysida Ransomware Operations


November 20, 2023

World map

“Rhysida actors have been observed leveraging external-facing remote services to initially access and persist within a network. Remote services, such as virtual private networks (VPNs), allow users to connect to internal enterprise network resources from external locations. Rhysida actors have commonly been observed authenticating to internal VPN access points with compromised valid credentials,” the advisory states (PDF).

“Analysis identified Rhysida actors using living off the land techniques, such as creating Remote Desktop Protocol (RDP) connections for lateral movement, establishing VPN access, and utilizing PowerShell. Living off the land techniques include using native (built into the operating system) network administration tools to perform operations. This allows the actors to evade detection by blending in with normal Windows systems and network activities.”

Takeaway: Rhysida is a RaaS that was first observed in May of 2023, and they engage in data exfiltration for double extortion and maintain both a leaks site and a victim support portal on TOR.  

‍Rhysida has been observed targeting the healthcare, education, government, manufacturing, and tech industries.‍ ‍Rhysida operators purport to be a “cybersecurity team” conducting unauthorized “penetration testing” to ostensibly “help” victim organizations identify potential security issues and secure their networks. The subsequent ransom demand is viewed as “payment” for their services.  

‍Rhysida has been steadily increasing their attack volume and continuing to expand the targeted industries, but volume is modest compared to leaders. Rhysida appears to be opportunistic attackers with a similar victimology as Vice Society.‍ It remains unclear how much Rhysida operators typically demand for a ransom payment at this time.  

Rhysida appears to have a fairly advanced RaaS offering, with capabilities that include advanced evasion techniques that can bypass antivirus protection, the wiping of Volume Shadow Copies (VSS) to prevent rollback of the encryption, and the ability to modify Remote Desktop Protocol (RDP) configuration.  

The gang has been observed deploying Cobalt Strike or similar command-and-control frameworks and abusing PSExec for lateral movement, dropping PowerShell scripts, and for payload delivery.  

Rhysida employs 4096-bit RSA key and AES-CTR for file encryption. Rhysida previously maintained a focus on Windows targets, but recently added Linux variant targeting VMWare ESXi. TTPs are similar to those of Vice Society, which has been less active since Rhysida emerged.  

Notable victims of Rhysida include Pierce College at Joint Base Lewis McChord, Ejercito de Chile, Axity, Ministry of Finance Kuwait, Prince George's County Public Schools, Ayuntamiento de Arganda City Council, and Comune di Ferrara.  

Ransomware attacks can do more damage to an organization than simply impacting the bottom line, they have the potential to damage brand, increase insurance costs, force budget cuts and layoffs, negatively impact stakeholders and even put victim organizations and their CXOs and BoDs in legal jeopardy.  

The ransomware threat is very real, the problem is seemingly growing exponentially, and executive leadership at organizations are struggling with how best to deal with both preparing to defend against attacks as well as what to do to protect the organization after a successful attack.  

The only way we can counter its growth as a major industry vertical is to disincentivize the attackers. The only way to disincentivize them is to make ransomware attacks unprofitable.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.