We have previously reported how the Rhysida Ransomware has focused on attacking the education sector.  Recently the CISA, FBI and MS-ISAC have released a new joint Cyber Security Advisory to disseminate known Rhysida ransomware indicators of compromise, detection methods, tactics, techniques and procedures identified through recent investigations.

The #StopRansomware: Rhysida Ransomware has similar open source details to the Vice Society activities and the actors observed deploying Rhysida Ransomware.  Open source reporting has confirmed instances of Rhysida actors operating in a ransomware-as-a-service (RaaS) - when this business model is used, ransoms are then split between the group and the affiliates in the model.

Initial Access has been observed using external remote-facing remote services, such as VPNs to intially access and remain within the network. Rhysida actors have been observed authenticating to internal VPN access points with compromised valid credentials.  They may use network administration tools to perform operations which allows the actors to evade detection by blending in with normal Windows systems and network activities.

Other inital access methods are valid account credentials and phishing.

Execution
After mapping the network, the ransomware encrypts the data using a key with an algorithm where all encrypted files will display a .rhysida extension.

Rhysida actors reportedly engage in 'double extortion' by demanding a ransom payment to decrypt victim data and threatening to publish the sensitive infiltrated data unless the ransom is paid. Rhysida actors direct victims to send ransom payments in Bitcoin to cyrpto currency wallet addresses provided by the threat actors. 

Advised Mitigations

• Phishing resistant MFA
• Disable command-line and scripting activities and permissions
• Implement verbose and enhance logging within processes (i.e. command line auditing)
• Restrict the use of PowerShell
• Update Windows PowerShell or PowerShell Core to the latest version
• Enable enhanced PowerShell logging
• Restrict the use of RDP and other remote desktop services to known user accounts and groups.  Secure remote access tools by implementing application controls
• Keep all operating systems, software and firmware up to date
• Segment networks
• Identify, detect and investigate abnormal activity and potentional traversal of the indicated ransomware with a networking monitoring tool
• Audit user accounts
• Implement time-based access for accounts set at admin level and higher
• Implement a recovery plan
• Maintain offline backups of data
• Ensure all backup data is encrypted and immutable (cannot be altered or deleted)
• Forward log files to a hardened centralised logging server
• Consider adding an email banner to emails received from outside your organisation
• Disable hyperlinks

Validate your security controls

Full guidance and advisory: #StopRansomware: Rhysida Ransomware (release date: November 15 2023)

Previous DPE article about Rhysida:
The importance of software updates (PaperCut vulnerability and Rhysida ransomware)