#StopRansomware: Rhysida Ransomware

Cyber Security Threat Summary:
A new joint advisory from CISA and the FBI has been issued detailing observed TTPs and IOCs to help organizations protect against Rhysida Ransomware. Rhysida is a fairly new ransomware that was first detected in May 2023. Like any other ransomware gang, the group engages in double extortion schemes where it will encrypt and exfiltrate victims’ files, threatening to publish the data online unless a ransom is paid. According to CISA and the FBI, Rhysida ransomware actors are very opportunistic and target victims residing in the education, healthcare, manufacturing, information technology, and government sectors. Based on open-source reporting, this group shares similarities with another ransomware gang dubbed Vice Society, which employs similar targeting patterns

Security Officer Comments:
The agencies note that this group leverages external-facing remote services, authenticating to internal access points using valid credentials and exploiting known vulnerabilities like Zerologon (CVE-2020-1472) to gain initial access to victim environments. Once initial access is obtained, the group relies on living off-the-land techniques such as RDP to conduct lateral movement and compromise as many systems as possible. To combat potential Rhysida attacks, organizations have been recommended to prioritize patching known exploited vulnerabilities, enable MFA protections for all services, and segment networks to limit the potential impact.