Ransomware has been a growing problem across the world. With new technology and evolving techniques, ransomware variants are getting harder to stop. The newest addition to this problem is the Rhysida ransomware.
The Rhysida ransomware has made a name for itself after a string of attacks against healthcare organizations. Coming onto the scene in May 2023, the Rhysida ransomware has gained more traction.
Some of the noted victims of the ransomware group so far include the Chilean Army. On the 29th of May, the army shared that its systems were disrupted by a breach. Rhysida then published around 360,000 Chilean Army documents. According to the group, that only made up 30% of the loot.
Prospect Medical Holdings was also the victim of the Rhysida ransomware in early August. The attack affected 16 hospitals and 166 other medical facilities across the United States. This cyber-attack was deemed the largest one on a US hospital system since last year.
What Is the Rhysida Ransomware?
On the 4th of August 2023, the Health Sector Cybersecurity Coordination Center (HC3) released a security alert about the Rhysida ransomware. It was detected as Ransom.PS1.RHYSIDA.SM. According to the alert, the Rhysida Group emerged in May on the dark web with a victim support chat portal.
The Ransomware-as-a-Service gang presents itself as a “cybersecurity team” offering to assist victims in finding security weaknesses within their networks and system. Emerging at the end of May 2023, it quickly marked its way up the ladder.
Since June 2023, the ransomware group has 8 victims listed on its data leak website. The security alert described Rhysida as “a 64-bit Portable Executable (PE) Windows cryptographic ransomware application compiled using MINGW/GCC.” In each sample analyzed, the application’s program name is set to Rhysida-0.1 which suggests that the tool is in the early stages of development. A notable characteristic of the tool is its plain-text strings revealing registry modification commands.
Some of the techniques, tactics, and tools (TTPs) used by the Rhysida ransomware have been compared to those of Vice Society. Security experts noted striking similarities between the two ransomware groups that suggest that Vice Society may have adopted Rhysida as one of its preferred ransomware payloads.
The similarities include the use of remote desktop protocol (RDP) connections, remote PowerShell sessions (WinRM), and the use of tools like PsExec for lateral movement. The interest in education and healthcare sectors also adds to this theory.
Who Does Rhysida Target?
The HH3 security alert signaled that the Rhysida ransomware has victims distributed throughout several countries across Western Europe, North and South America, and Australia. The majority of the victims so far have been based in the US, the UK, Italy, Spain, and Austria.
The group is said to primarily attack education, government, manufacturing, technology, and managed service provider sectors. However, there have been recent attacks against the Healthcare and Public Health (HPH) sectors as well.
While most ransomware groups steer clear of hospitals and healthcare facilities, the Rhysida ransomware group does not seem swayed by the same moral conflict.
How Does Rhysida Work?
The Rhysida ransomware is deployed in multiple ways. The group is known to rely on phishing attacks and Cobalt Strike to breach networks and deploy their payloads. Cobalt strike is a penetration testing tool often used by hackers for its advanced exploitation capabilities. After the Rhysida ransomware enters the victim’s machine through the phishing lures, Cobalt Strike is used for lateral movement within the system.
The telemetry by security experts has also shown that the threat actors execute PsExec to deploy PowerShell scripts and the Rhysida ransomware payload itself. Bleeping Computer reported that the PowerShell scripts used by Rhysida operators terminate antivirus processes, delete shadow copies, modify Remote Desktop Protocol configurations, and change the active directory (AD) password.
While a ransomware encryptor usually handles these tasks, the Rhysida ransomware uses external scripts to achieve the same purposes. This all indicates the locker's active development.
Another report also confirms that the most recent Rhysida locker uses a 4096-bit RSA key with the ChaCha20 algorithm for file encryption and now excludes several directories. When the Rhysida ransomware runs, security experts noticed an output from the command line which scans the files, runs the “file_to_crypt” function, and if successful, changes the file extension to “.rhysida”.
The attack methods are not specific to any organization which means that any sector could be a potential target.
After successful encryption, the ransomware leaves behind a PDF ransom note instructing the victims to contact the group via their portal and pay in Bitcoin. The use of PDF notes also shows that the group is not targeting command-line operating systems used on network devices or servers.
Sourced from Bleeping Computer
The Rhysida group threatens to expose the stolen data if the ransom isn’t paid. This means that they can be categorized as a double-extortion ransomware group.
How to Protect from Rhysida Ransomware
Companies and individuals alike need to invest in better cybersecurity measures, practices, and education to keep safe in a time of complex and rapidly evolving ransomware.
Some of the steps provided by the HH3 security alert for the Rhysida ransomware included:
- Virtual Patching – This ensures an additional layer of protection against any software vulnerabilities - which the Rhysida ransomware is known to exploit.
- Cyber Hygiene Training – Your employees are your greatest asset and they should be prepared and practice good cyber hygiene to ensure a secure network at all times.
- Endpoint Security – Advanced endpoint security will prevent, fight, and eliminate any cyber threats attempting to enter your network. Sangfor’s Endpoint Secure platform provides a holistic response to malware infections and APT breaches. It’s also easy to manage, offers end-to-end protection, and can be tailored to your needs.
- Backups – A company can ensure data safety by investing in reliable data backup solutions. Sangfor’s disaster recovery solutions offer the best backup and optimized infrastructure platforms.
- Network and Access Segmentation – This is the limiting of access and workloads across the network which prevents the spread of ransomware once under attack.
- Firewalls – The use of a good firewall will ensure your network’s safety by detecting and mitigating potential threats before they cause damage. Sangfor’s Next-Generation Firewall is designed to inspect network and application traffic for threats, secure the network environment from intrusion, and bring in security intelligence from outside the network.
A few more tips that one can use to maintain their cyber resilience are:
- Updating software regularly.
- Avoid suspicious email links, pop-up ads, and sketchy websites.
- Ensuring that downloaded files are in the correct format and have the right extensions.
- Not paying any ransom amounts to the criminals.
- Maintaining the best cybersecurity measures available.
Sangfor Technologies is a world-class cybersecurity and cloud computing company that offers intensive and advanced Anti-Ransomware prevention and state-of-the-art IT infrastructure.
Sangfor provides complete and holistic cybersecurity solutions for your company that will protect you from ransomware attacks.