Cybersecurity Snapshots - Rhysida Ransomware
By aekwall
Many new ransomware groups emerged in 2023. One of those groups is the Rhysida ransomware group, which emerged in May 2023. The group is very active, so the Cybersecurity and Infrastructure Security Agency (CISA) put out a notice warning organizations about the ransomware group. Rhysida actors target organizations in various sectors, including government, IT, manufacturing, healthcare, and education.
CISA claims that the Rhysida ransomware group operates in a Ransomware-as-a-Service (RaaS) capacity, where ransomware tools and infrastructure are leased out in a profit-sharing model. Any ransoms paid are then split between the group and the affiliates. CISA notes that the Rhysida ransomware group has been observed leveraging external-facing remote services to initially access and persist within a network. CISA says that Rhysida actors have commonly been observed authenticating to internal VPN access points with compromised valid credentials, notably due to organizations lacking Multi-Factor Authentication (MFA) enabled by default. Additionally, the ransomware group has been observed exploiting Zerologon (CVE-2020-1472), a critical elevation of privileges vulnerability in Microsoft's Netlogon Remote Protocol, and conducting successful phishing attacks.
CISA claims that the Rhysida ransomware group uses living-off-the-land techniques, such as creating Remote Desktop Protocol (RDP) connections for lateral movement, establishing VPN access, and utilizing PowerShell. Living off the land techniques include using native (built into the operating system) network administration tools to perform operations. According to CISA, living off the land techniques allow the actors to evade detection by blending in with normal Windows systems and network activities.
CISA observed that the Rhysida ransomware group uses legitimate tools to conduct their operations, including cmd.exe, PowerShell.exe, PsExec.exe, mstsc.exe, PuTTY.exe, PortStarter, secretsdump, ntdsutil.exe, AnyDesk, wevtutil.exe, and PowerView. After mapping the network, CISA noted that the ransomware encrypts data using a 4096-bit RSA encryption key with a ChaCha20 algorithm. The algorithm features a 256-bit key, 32-bit counter, 96-bit nonce, and a four-by-four matrix of 32-bit words in plain text. Rhysida's encryptor runs a file to encrypt and modify all encrypted files to display a .rhysida extension. The group engages in "double extortion," where it demands a ransom payment to decrypt victim data and threatens to publish the sensitive exfiltrated data unless the ransom is paid. Rhysida directs victims to send ransom payments in Bitcoin to cryptocurrency wallet addresses provided by the threat actors.
CISA expects the number of Rhsyida ransomware victims to increase, so mitigating the risk of becoming the next victim is important. The FBI, CISA, and the MS-ISAC (Multi-State Information Sharing and Analysis Center) recommend that organizations should require phishing-resistant MFA, disable command-line and scripting activities and permissions, and implement verbose and enhanced logging within processes. They should also restrict the use of PowerShell, update Windows PowerShell or PowerShell Core to the latest version, enable enhanced PowerShell logging, restrict the use of RDP and other remote desktop services to known user accounts and groups, and implement application controls. Organizations should also keep all operating systems, software, and firmware up to date, segment networks, identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a network monitoring tool and audit user accounts. In addition, they should implement time-based access for accounts set at the admin level and higher, implement a recovery plan, maintain offline backups of data, ensure all backup data is encrypted and immutable, and forward log files to a hardened centralized logging server. Finally, it is recommended that organizations consider adding an email banner to emails received from outside the organization, and disable hyperlinks in received emails.
To see previous articles, please visit the Cybersecurity Snapshots Archive.