The FBI and CISA issued a joint warning about the escalating threat posed by the Rhysida ransomware gang, emphasizing its opportunistic attacks targeting organizations across diverse industry sectors. Rhysida, emerging in May 2023, gained infamy after breaching the Chilean Army and subsequently attacking healthcare organizations, as highlighted by the US Department of Health and Human Services.
Furthermore, the joint advisory, released today, provides defenders with crucial information, including indicators of compromise (IOCs), detection details, and Rhysida’s tactics, techniques, and procedures (TTPs) identified up to September 2023. Notably, the ransomware-as-a-service (RaaS) model employed by Rhysida impacts various sectors, with ransom payments being shared between the group and its affiliates.
Additionally, Rhysida attackers have demonstrated sophistication by infiltrating external-facing remote services, like VPNs, using stolen credentials to establish initial access and maintain a presence within victims’ networks. The FBI and CISA stressed the importance of Multi-Factor Authentication (MFA) in preventing such unauthorized access, particularly for webmail, VPN, and critical system accounts. Additionally, the malicious actors are known for exploiting the Zerologon vulnerability (CVE-2020-1472) to escalate Windows privileges within Microsoft’s Netlogon Remote Protocol.
The advisory also highlighted the transition of affiliates associated with the Vice Society ransomware group to using Rhysida payloads, a shift noted by various cybersecurity researchers around July 2023. Network defenders are urged to implement recommended mitigations to reduce the likelihood and severity of Rhysida-related ransomware incidents, including prompt patching of vulnerabilities, enabling MFA, and employing network segmentation to thwart lateral movement attempts.