Verticals Targeted: Education, Government, Manufacturing, Technology, Healthcare, Various
New Rhysida activity has prompted the release of a joint cybersecurity advisory providing additional details on the ransomware group’s TTPs and operations.
- New Rhysida activity has prompted the release of a joint cybersecurity advisory providing additional details on the ransomware group’s TTPs and operations.
- Rhysida appears to target opportunistically and has begun evolving tactics, using a double extortion tactic.
- Rhysida threat actors have also been observed leveraging Zerologon (CVE-2020-1472).
What is Rhysida?
Earlier this year, we reported on Rhysida ransomware targeting the healthcare vertical. Rhysida, active in the wild since at least May 2023, is ransomware as a service (RaaS). It utilizes a Windows 64-bit PE or COFF compiled with MinGW via the GNU Compiler Collection (GCC). Rhysida uses a 4096-bit RSA key and ChaCha20 for file encryption and appends the .rhysida extension to encrypted files.
Rhysida has previously targeted entities in the education, government, manufacturing, and technology verticals and was observed targeting the healthcare vertical in August. The activity resulted in an HHS Health Sector Cybersecurity Coordination Center security alert being issued at the time.
Rhysida appears to target opportunistically and has begun evolving tactics, using a double extortion tactic. New Rhysida activity has prompted the release of a joint cybersecurity advisory with contributions from the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
For initial access and persistence, the Rhysida threat actors leverage external-facing remote services, such as VPNs. They appear to obtain access using compromised but valid credentials, taking advantage of connections that do not require multi-factor authentication (MFA) for login. Rhysida threat actors have been observed leveraging Zerologon (CVE-2020-1472), a vulnerability in Microsoft’s Netlogon Remote Protocol that results in a critical elevation of privileges. They are also known to engage in phishing.
The advisory states that Rhysida threat actors use living off-the-land techniques such as RDP for lateral movement, allowing them to establish VPN access and utilize PowerShell while evading detection. Rhysida threat actors have been observed using ipconfig, whoami, nltest, and net commands to gather domain information and enumerate victim environments.
Rhysida threat actors use a combination of both legitimate and malicious tools, including cmd.exe, PowerShell.exe, PsExec.exe, mstsc.exe, PuTTy.exe, PortStarter, secretsdump, ntdsutil.exe, AnyDesk, wevtutil.exe, and PowerView.
The advisory echoed open-source reporting, stating Rhysida ransomware group appears to share similarities with Vice Society, also known as DEV-0832.
PolySwarm has multiple samples of Rhysida.
You can use the following CLI command to search for all Rhysida samples in our portal:
$ polyswarm link list -f Rhysida