FBI, CISA Urge Immediate Action to Mitigate Rhysida Ransomware Risks

November 15, 2023 - The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint cybersecurity advisory (CSA) to outline the risks of Rhysida ransomware.

The authoring entities urged organizations to take immediate action to reduce risk, such as remediating known vulnerabilities and implementing multifactor authentication (MFA).

As previously reported, Rhysida ransomware operates as ransomware-as-a-service (RaaS) group that emerged in May 2023, using phishing attacks and other tactics to gain network access and drop malicious payloads. HHS released a threat brief about the variant in August 2023, encouraging healthcare organizations to remain vigilant.

The latest CSA shed more light on the tactics and indicators of compromise (IOCs) of Rhysida, which has predominantly been used against healthcare, education, manufacturing, information technology, and government entities, also known as “targets of opportunity.”

According to the malware analyses and incident response investigations used to compile the report, Rhysida has some similarities to Vice Society. Additionally, analysts have observed Rhysida taking advantage of external-facing remote services, such as VPNs, to access and persist within a network.

Rhysida actors also leverage living-off-the-land techniques that allow them to evade detection by blending in with Windows systems.

The CSA provided detailed descriptions of how Rhysida actors execute ransomware, encrypt data, and demand ransomware payments. Organizations can use this information to streamline detection processes and mitigate risk.

CSA’s extensive list of recommended mitigations included requiring phishing-resistant MFA, disabling command-line and scripting activities and permissions, and updating Windows PowerShell or PowerShell Core to the latest version.

CISA, the FBI, and MS-ISAC also recommended enabling enhanced PowerShell logging and restricting the use of remote desktop protocol (RDP) and other remote desktop services to only known user accounts. As always, organizations should continue auditing user accounts, maintaining offline data backups, and practicing a recovery plan.

“FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered,” the CSA noted. “Furthermore, payment may also embolden adversaries to target additional organizations, encourage other threat actors to engage in the distribution of ransomware, and/or fund illicit activities.”

Even if an organization does pay the ransom, they should report any ransomware incident to the FBI’s Internet Crime Complaint Center (IC3).