CISA Issue a Public Alert Regarding Rhysida Ransomware

The threat actors behind the Rhysida ransomware conduct opportunistic attacks on enterprises in a variety of industries.

The US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued the advice.

[FREE E-BOOK] The Definite Blueprint for Cybersecurity in Manufacturing

“Observed as a ransomware-as-a-service (RaaS) model, Rhysida actors have compromised organizations in education, manufacturing, information technology, and government sectors and any ransom paid is split between the group and affiliates,” the agencies said in a statement.

“Rhysida actors leverage external-facing remote services, such as virtual private networks (VPNs), Zerologon vulnerability (CVE-2020-1472), and phishing campaigns to gain initial access and persistence within a network.”

Rhysida was discovered in May 2023 and employs the tried-and-true strategy of double extortion, demanding a ransom payment to decrypt victim data and threatening to broadcast the exfiltrated data unless the ransom is paid.

It is also reported to have similarities with another ransomware group known as Vice Society (aka Storm-0832 or Vanilla Tempest), owing to similar targeting patterns and the use of NTDSUtil as well as PortStarter, which the latter has exclusively used.

According to Malwarebytes statistics, Rhysida claimed five victims in the month of October 2023, trailing LockBit (64), NoEscape (40), PLAY (36), ALPHV/BlackCat (29), and 8BASE (21).

According to the authorities, the gang conducts opportunistic attacks to breach targets and uses living-off-the-land (LotL) strategies to permit lateral movement and VPN access.

The goal is to avoid discovery by blending in with legitimate Windows systems and network activity.

The pivot to Rhysida by Vice Society has been backed by additional analysis revealed earlier this week by Sophos, which stated it detected the same threat actor employing Vice Society up until June 2023, when it switched to deploying Rhysida.

The TAC5279 cluster is being tracked by the cybersecurity firm.

“Notably, according to the ransomware group’s data leak site, Vice Society has not posted a victim since July 2023, which is around the time Rhysida began reporting victims on its site,” stated Sophos researchers Colin Cowie and Morgan Demboski.

According to eSentire, the BlackCat ransomware Gang is hitting corporations and government bodies with Google advertising loaded with Nitrogen malware.

“This affiliate is taking out Google ads promoting popular software, such as Advanced IP Scanner, Slack, WinSCP and Cisco AnyConnect, to lure business professionals to attacker-controlled websites,” the cybersecurity firm stated in a statement.

The fraudulent installers contain Nitrogen, which is an initial access malware capable of delivering next-stage payloads, including ransomware, into a vulnerable environment.

“Known examples of ransomware-associated initial access malware that leverage browser-based attacks include GootLoader, SocGholish, BATLOADER, and now Nitrogen,” the company stated. “Interestingly, ALPHV has been observed as an end-game for at least two of these browser-based initial access pieces of malware: GootLoader and Nitrogen.”

The ever-changing nature of the ransomware ecosystem is further highlighted by the fact that 29 of the 60 active ransomware groups began operations this year, according to WithSecure, owing in part to the source code dumps of Babuk, Conti, and LockBit over the years.

“Data leaks aren’t the only thing that leads to older groups cross-pollinating younger ones,” According to WithSecure in a report published with The Hacker News.

“Ransomware gangs have employees, just like an IT firm. People, like an IT company, move professions and bring their unique talents and experience with them. In contrast to legitimate IT firms, however, there is nothing to prevent a cyber criminal from stealing proprietary resources (such as code or tools) from one ransomware operation and employing them in another. “Among thieves, there is no honor.”