In a united front against the escalating threat of Rhysida ransomware, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have issued a comprehensive joint advisory. This advisory, labeled #StopRansomware: Rhysida Ransomware, serves as a critical resource to disseminate essential intelligence gathered up to September 2023.
Rhysida ransomware, identified as a ransomware-as-a-service (RaaS) model, has become a major concern as threat actors deploy it across diverse sectors, including education, healthcare, manufacturing, information technology, and government. Notably, any ransom paid is shared between the core group and its affiliates, establishing a unique and concerning dynamic.
Targets and Tactics
The modus operandi of Rhysida involves exploiting external-facing remote services, such as VPNs, the Zerologon vulnerability (CVE-2020-1472), and phishing campaigns to gain initial access and establish persistence within targeted networks. A distinctive characteristic is its impact on ‘targets of opportunity,’ demonstrating a calculated approach to victim selection.
The ransomware operators are also observed leveraging phishing attacks and exploiting vulnerabilities, such as Zerologon, to escalate privileges within Microsoft’s Netlogon Remote Protocol. Affiliates associated with the Vice Society ransomware group have transitioned to using Rhysida ransomware payloads, as noted by various cybersecurity researchers.
Mitigations and Recommendations
The advisory underscores the urgent need for organizations to review and implement the recommended mitigations outlined in the joint CSA. These measures include, but are not limited to, patching vulnerabilities actively exploited by Rhysida, enabling Multi-Factor Authentication (MFA) across all services, particularly for webmail and VPN accounts, and adopting network segmentation to thwart lateral movement attempts.
Technical Insights and Mitigation Measures
Detailed technical insights into Rhysida’s tactics reveal its propagation via phishing emails, often containing malicious attachments or links aiming to trick users into enabling macros in Office files. Living off the land tactics, employing Windows tools like PowerShell, WMI, certutil.exe, and schtasks.exe, allow the ransomware to move stealthily within compromised networks.
Credentials harvested from LSASS in memory, Windows Admin Shares, and RDP are used to compromise additional systems. The encryption of files using the RSA-2048 and AES-256 algorithms, appending the .rhysida extension, is a distinctive hallmark. Recommended mitigations include a defense-in-depth strategy, email filtering, endpoint protection, network segregation, and limiting admin privileges.
This joint advisory serves as a crucial resource for organizations to fortify their cybersecurity defenses against the evolving threat of Rhysida ransomware. In the face of this multifaceted threat landscape, vigilance, and the proactive implementation of recommended measures are imperative to mitigate risks and safeguard against potentially devastating attacks.