HC3 alerts of Rhysida RaaS group employing phishing attacks, Cobalt Strike for network breaches

The Health Sector Cybersecurity Coordination Center (HC3) in the U.S. Department of Health & Human Services (HHS) alerted the healthcare sector of the presence of Rhysida, a new ransomware-as-a-service (RaaS) group that has emerged since May this year. The group drops eponymous ransomware via phishing attacks and Cobalt Strike to breach targets’ networks and deploy their payloads while threatening to publicly distribute the exfiltrated data if the ransom is not paid. Also, the group then threatens victims in a ransom note with public distribution of the exfiltrated data, bringing them in line with modern-day double-extortion groups.

“Rhysida is still in early stages of development, as indicated by the lack of advanced features and the program name Rhysida-0.1. The ransomware also leaves PDF notes on the affected folders, instructing the victims to contact the group via their portal and pay in Bitcoin,” the HC3 identified in its sector alert. “Its victims are distributed throughout several countries across Western Europe, North and South America, and Australia. They primarily attack education, government, manufacturing, and technology and managed service provider sectors; however, there have been recent attacks against the Healthcare and Public Health (HPH) sector.” 

The HC3 alert said that despite being an ostensibly independent ransomware group and showing no observed overt connections to existing ransomware operations, the geopolitical ramifications of the attack on the Chilean government remain unclear. “However, its victims are distributed throughout several countries across Western Europe, North and South America, and Australia, loosely aligning the group’s targeting with other ransomware operations that avoid targeting former Soviet Republic or bloc countries in Eastern Europe and Central Asia’s Commonwealth of Independent States.” 

“When the country distributions are analyzed, one cybersecurity firm concluded that the United States, Italy, Spain, and the United Kingdom are targeted more than other countries,” the alert said. “Since June, the threat actor has already added at least eight victims to its dark web data leak site and has published all stolen files for five of them. 

Recently, security researchers have alleged that there is a relationship between the threat actors Rhysida and Vice Society, the HC3 alert identified. “In terms of commonalities, both groups mainly target the education sector. 38.4% of Vice Society’s attacks targeted the education sector, compared to 30% of Rhysida’s. Of note, Vice Society mainly targets both educational and healthcare institutions, preferring to attack small-to-medium organizations. If there is indeed a linkage between both groups, then it is only a matter of time before Rhysida could begin to look at the healthcare sector as a viable target,” it added. 

In June, there were news reports that Rhysida ransomware hackers leaked documents from the Chilean Army’s network, claiming to be documents stolen from the network of the Chilean Army (Ejército de Chile). The leak comes after the Chilean Army confirmed on May 29 that its systems were impacted in a security incident detected over the weekend on May 27, according to a statement shared by Chilean cybersecurity firm CronUp.

The latest HC3 alert identified that the cyberattack on the Chilean army targeted victims from the education, government, manufacturing, technology, and managed service provider sectors, but overall, Rhysida prefers to target other sectors. “When observing Rhysida’s past attacks, it can be inferred that it mostly targets organizations operating in the education and manufacturing sectors.”

First observed on May 17, this year, following the emergence of their victim support chat portal, hosted via TOR ([dot]onion), Rhysida describes itself as a ‘cybersecurity team’ that aims to help victims highlight potential security issues and secure their networks, the Hc3 alert disclosed. “While not much is known about the group’s origins or country affiliations, the name Rhysida is a reference to the Rhysida genus of centipede and is reflected as the logo on their victim blog. The TOR page also shows the current auctions and total number of victims.” 

The alert added that the group’s website also serves as a portal for Rhysida-centric news and media coverage, as well as details on how to contact the group should journalists, recovery firms, or fans be inclined to do so. 

“Rhysida is a 64-bit Portable Executable (PE) Windows cryptographic ransomware application compiled using MINGW/GCC. In each sample analyzed, the application’s program name is set to Rhysida-0.1, suggesting the tool is in early stages of development,” according to the HC3 alert. “A notable characteristic of the tool is its plain-text strings revealing registry modification commands. Rhysida ransomware is deployed in multiple ways. Primary methods include breaching targets’ networks via phishing attacks, and by dropping payloads across compromised systems after first deploying Cobalt Strike or similar command-and-control frameworks.” 

The HC3 also noted that a previous HC3 product on Russian-speaking RaaS group, Black Basta, detailed how both threat groups, Black Basta and FIN7 (aka Carbanak/Cobalt Group/Carbon Spider), share a TTP in their employment of Cobalt Strike.” When Rhysida runs, one cybersecurity firm observed a process of getting output from the command line, which apparently scans the files, runs the ‘file_to_crypt’ function, and if successful, changes the file extension to ‘[dot]rhysida,’” it added.  

For the encryption phase, the HC3 alert disclosed that Rhysida uses a 4096-bit RSA key with the ChaCha20 algorithm. “After the encryption details are established, Rhysida enumerates files and folders connected to the system. The main function ends by calling PowerShell to delete the binary after encryption has completed,” it added.

The alert added that extended features beyond encrypting files are still not present in current variations of Rhysida. The most recent analyzed samples continue to lack commodity features like VSS Removal, multiple persistence mechanisms, process termination, or unhooking. 

“The group then threatens victims in a ransom note with public distribution of the exfiltrated data, bringing them in line with modern-day double-extortion groups,” the HC3 alert identified. “Rhysida ransom notes are written as PDF documents to affected folders on targeted drives, with the content of the document embedded in the binary in clear text. This potentially provides some insight into the types of systems or networks that the threat group targets, as the presence of these ransom notes could indicate that the targeted systems have the capability to handle PDF documents. This also indicates that the group is not targeting command-line operating systems used on network devices or servers.” 

It added that victims are instructed to contact the attackers via their TOR-based portal, utilizing their unique identifier providers in the ransom note. “Rhysida accepts payment in Bitcoin only, providing information on the purchase and use of Bitcoin on the victim portal as well. Upon providing their unique ID to the payment portal, another form is presented that allows victims to provide additional information to the attackers, such as authentication and contact details,” the alert added. 

John Riggi, senior cybersecurity adviser to the American Hospital Association, wrote in a LinkedIn post that ransomware attacks against healthcare and other critical infrastructure that broadly threatens public health and safety are not economic crimes – they are threats to life crimes. “These attacks risk not only the safety of the patients within the hospital, but they also risk the safety of the entire community that depends on the availability of that emergency department to be there. The Federal government prioritizes the investigation and response to these types of attacks, the same as terrorist attacks.”

Riggi added that the Rhysida ransomware group is a recently emerged ransomware-as-a-service group involved in high-impact attacks across multiple sectors. “Although the national origin of this group is unknown, it is noted that the group primarily targets organizations in Western nations. HC3 has stated that this group has engaged in recent attacks against the healthcare sector. As such it is strongly recommended that this alert be prioritized by hospitals and health systems and the identified malware signatures be entered into network defenses and risk mitigation procedures be implemented as soon as possible,” he added.

Given the severity of Rhysida’s attacks, the HC3 alert said that it is crucial for organizations to take proactive measures to protect their systems and data. It recommended that healthcare organizations adopt virtual patching to help provide an immediate layer of protection against known vulnerabilities that the ransomware might exploit; provide regular phishing awareness training to all employees to help them recognize and avoid phishing attempts; and deploy endpoint security tools to help fight against ransomware by continuously checking all points of entry in a network, spotting and stopping malicious software, reviewing incoming data, and giving the option to separate or delete data from afar to prevent spread of ransomware throughout the network. 

The HC3 alert suggests using immutable backups to create a protective barrier against ransomware, ensuring data restoration remains feasible and efficient. Network segmentation can limit the spread of ransomware if a compromised part of the network is compromised. It also emphasizes the importance of using firewalls, intrusion detection systems, an incident response plan, and the least privilege principle to prevent ransomware attacks. Firewalls and intrusion detection systems can detect and block suspicious activity, preventing damage before it can cause significant damage, while a well-defined incident response plan minimizes downtime and damage.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.