CISA
Critical infrastructure
Malware, Phishing & Ransomware
News
Vulnerabilities

FBI, CISA, MS-ISAC release cybersecurity advisory on emerging Rhysida ransomware targeting critical sectors

November 16, 2023
FBI, CISA, MS-ISAC release cybersecurity advisory on emerging Rhysida ransomware targeting critical sectors

Following the August alert by the Health Sector Cybersecurity Coordination Center (HC3) in the U.S. Department of Health & Human Services (HHS) regarding the emergence of Rhysida, a new ransomware-as-a-service (RaaS) group, U.S. security agencies have collaborated to release a joint cybersecurity advisory. The guidance shares information about the Rhysida ransomware, including Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) that have been identified through recent investigations conducted as recently as September. 

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) identified that Rhysida, an emerging ransomware variant, has predominantly been deployed against the education, healthcare, manufacturing, information technology, and government sectors since May this year. The insights provided in this advisory have been derived from incident response investigations and thorough malware analysis of samples discovered on victim networks.

“Threat actors leveraging Rhysida ransomware are known to impact “targets of opportunity,” including victims in the education, healthcare, manufacturing, information technology, and government sectors,” the advisory revealed. “Open source reporting details similarities between Vice Society activity and the actors observed deploying Rhysida ransomware. Additionally, open-source reporting has confirmed observed instances of Rhysida actors operating in a ransomware-as-a-service (RaaS) capacity, where ransomware tools and infrastructure are leased out in a profit-sharing model. Any ransoms paid are then split between the group and the affiliates.”

Rhysida ransomware hackers have been observed leveraging external-facing remote services to initially access and persist within a network. Remote services, such as virtual private networks (VPNs), allow users to connect to internal enterprise network resources from external locations. Additionally, these hackers have commonly been observed authenticating to internal VPN access points with compromised valid credentials, notably due to organizations lacking multi-factor authentication (MFA) enabled by default. 

The advisory also detailed that hackers have been observed exploiting Zerologon (CVE-2020-1472), a critical elevation of privileges vulnerability in Microsoft’s Netlogon Remote Protocol, as well as conducting successful phishing attempts. 

The agencies identified Rhysida ransomware hackers using living-off-the-land techniques, such as creating Remote Desktop Protocol (RDP) connections for lateral movement, establishing VPN access, and utilizing PowerShell. Living-off-the-land techniques include using native (built into the operating system) network administration tools to perform operations. This allows the actors to evade detection by blending in with normal Windows systems and network activities.

After mapping the network, the ransomware encrypts data using a 4096-bit RSA encryption key with a ChaCha20 algorithm, the advisory detailed. “The algorithm features a 256-bit key, a 32-bit counter, and a 96-bit nonce along with a four-by-four matrix of 32-bit words in plain text. Registry modification commands are not obfuscated, displayed as plain-text strings, and executed via cmd[dot]exe.” 

“Rhysida’s encryptor runs a file to encrypt and modify all encrypted files to display a [dot]rhysida extension. Following encryption, a PowerShell command deletes the binary from the network using a hidden command window,” the advisory pointed out.

The advisory also highlighted that Rhysida ransomware hackers reportedly engage in ‘double extortion,’ demanding a ransom payment to decrypt victim data and threatening to publish the sensitive exfiltrated data unless the ransom is paid. “Rhysida actors direct victims to send ransom payments in Bitcoin to cryptocurrency wallet addresses provided by the threat actors. Rhysida ransomware drops a ransom note named ‘CriticalBreachDetected’ as a PDF file, the note provides each company with a unique code and instructions to contact the group via a Tor-based portal.” it added. 

Identified in analysis and also listed in open source reporting, the contents of the ransom note are embedded as plain text in the ransom binary, offering network defenders an opportunity to deploy string-based detection for alerting on evidence of the ransom note, the advisory pointed out. “Rhysida threat actors may target systems that do not use command-line operating systems. The format of the PDF ransom notes could indicate that Rhysida actors only target systems that are compatible with handling PDF documents.”

Commenting on the latest advisory, Dror Liwer, co-founder of cybersecurity company Coro, wrote in an emailed statement that “Attack-as-a-service lowered the bar to executing sophisticated attacks in a way that even novices are now able to successfully participate in the criminal economy. As long as organizations pay a ransom, the ROI will be attractive enough for these criminals to continue their attacks.”

The advisory called upon critical infrastructure organizations to, among other mitigation measures, prioritize remediating known exploited vulnerabilities; enable MFA for all services to the extent possible, particularly for webmail, VPN, and accounts that access critical systems; and segment networks to prevent the spread of ransomware.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
TXOne’s Portable Security Pro works towards improving security in ICS environments
TXOne Networks presents SageOne, its new CPS protection platform
Critical Start
Critical Start introduces managed detection and response services for OT environments
Shift5
Shift5 debuts GPS integrity module to combat GPS spoofing risks
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates