Rhysida Ransomware Threat Grows: FBI and CISA Warn

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) in a joint statement on November 15 warned of an escalation in attacks by the Rhysida ransomware gang.

Emerging in May 2023, the hacking group garnered notoriety following its breach of the Chilean Army and the subsequent disclosure of stolen data online. It’s noted that Rhysida ransomware actively targets organizations across various sectors, including education, healthcare, manufacturing, information technology, and government.

Experts highlight that the group operates a Ransomware-as-a-Service (RaaS) model, with financial ransoms being distributed among group members and numerous affiliates.

The agencies paid particular attention to Rhysida’s attack methods, including the compromise of remote access services (like VPNs) using stolen credentials. Another prevalent attack vector has been the exploitation of known vulnerabilities, such as Zerologon (CVE-2020-1472), particularly in organizations that do not default to multi-factor authentication (MFA).

Additionally, it’s observed that members of the Vice Society group, also known as Vanilla Tempest or DEV-0832, have transitioned to using Rhysida’s ransomware in their operations.

Research by companies such as Sophos, Check Point, and PRODAFT indicates that Vice Society’s shift to Rhysida occurred around July this year, shortly after the group began posting victim data on its data leak site.

The FBI and CISA advise network security professionals to implement all possible measures to mitigate the likelihood and impact of ransomware incidents.

Among the minimal measures highlighted by the agencies are regular software updates to address actively exploited vulnerabilities, enabling MFA for all services, especially for webmail, VPNs, and critical system accounts, and employing network segmentation to thwart lateral movement attempts.