Rhysida Ransomware Emerges as Latest RaaS Threat Group

August 08, 2023 - Rhysida ransomware group is the latest threat group to target victims around the world and publish stolen files online, the Health Sector Cybersecurity Coordination Center (HC3) warned in a threat brief.

The ransomware-as-a-service (RaaS) group emerged in May 2023, using phishing attacks and other tactics to gain network access and drop malicious payloads. Rhysida is still in the early stages of development but has already launched attacks across Western Europe, Australia, and North and South America.

Rhysida operates a victim support chat portal and displays its victim count and current auctions on its TOR page. HC3 provided a detailed technical description of Rhysida’s encryption tactics and how it deploys its ransomware.

Notably, the group is known to deploy Cobalt Strike or similar command-and-control frameworks. Other threat groups, such as Black Basta and FIN7, similarly use Cobalt Strike to gain network access. As previously reported, threat actors have been known to abuse legitimate tools to advance their goals and infiltrate networks.

Rhysida shows no known connections to existing ransomware groups but has loosely aligned itself with other groups by avoiding victims in the former Soviet Republic or bloc countries in Eastern Europe and Central Asia’s Commonwealth of Independent States.

“They primarily attack education, government, manufacturing, and technology and managed service provider sectors; however, there have been recent attacks against the Healthcare and Public Health (HPH) sector,” HC3 noted.

As such, HC3 warned that healthcare organizations should remain vigilant and employ security measures to defend against this and other ransomware groups. What’s more, the group has added eight victims to its dark web data leak site since June 2023 alone and published stolen files belonging to five of them.

Given these developments, HC3 recommended that organizations employ phishing awareness training, network segmentation, and intrusion detection systems to defend against Rhysida. In addition, HC3 encouraged organizations to virtually patch known vulnerabilities.

“Rhysida exploits known vulnerabilities in software to gain access to systems. Virtual patching can help by providing an immediate layer of protection against known vulnerabilities that the ransomware might exploit,” the brief stated. “This is especially important when a vendor-supplied patch is not immediately available or cannot be applied right away due to testing requirements.”

Organizations may also want to consider leveraging immutable backups, endpoint security solutions, and a principle of least privilege.

“In only a short time, Rhysida has proven itself to be a significant threat to organizations worldwide. With its strong encryption techniques and double extortion tactics, and a focus on multi-sector targets (military, government, education, and manufacturing), it is likely they will continue to pose a significant threat to these and possibly other sectors,” the brief concluded.

“By understanding the group’s TTPs, organizations can take a proactive approach to protect their systems and data. This includes patching known vulnerabilities, implementing robust security measures, and training staff to recognize and avoid phishing attempts.”