What is Rhysida?
Rhysida is a Windows-based ransomware operation that has come to prominence since May 2023, after being linked to a series of high profile cyber attacks in Western Europe, North and South America, and Australia. The group appears to have links to the notorious Vice Society ransomware gang.
What kind of organisations has Rhysida been hitting with ransomware?
The US Department of Health and Human Services' Health Sector Cybersecurity Coordination Center has this month described Rhysida as a "significant threat to the healthcare sector", Rhysida has targeted hospitals and clinics across the United States. However, the group does not appear to have confined itself to targeting victims in one particular sector. For instance, Rhysida victims have included the Chilean Army, whose stolen data the malicous hackers published on its dark web leak site.
Leaking data from a country's hacked army. That's certainly a bold move. Where does it get the name Rhysida from?
It's a type of centipede - this is reflected in the images that the ransomware group uses on its leak website.
So, not the kind of thing you want to have scurrying around your network...
And don't expect to find hundreds of footprints either... instead, the first clue you may see that you have fallen victim to Rhysida are the PDF files it scattered across affected folders on compromised computers.
What does the ransom note from Rhysida say?
Cheekily, the ransom note presents itself as a "critical breach" alert from the Rhysida "cybersecurity team." Don't be under any illusions. Your computer has been the victim of a cybercriminal attack. In typical ransomware fashion, files on compromised drives have been exfiltrated and the copies left behind encrypted.
"The potential ramifications of this could be dire, including the sale, publication, or distribution of your data to competitors or media outlets. This could inflict significant reputational and financial damage."
The ransom demand goes on to remind victims that time is of the essence, and that those organisations impacted by Rhysida should visit the group's portal on the dark web for a decryption key. Of course, you'll have to cough up a payment in Bitcoin to unlock your encrypted files. The ransom note - which typically has the name CriticalBreachDetected.pdf - cheerily signs off with "Best regards."
Well, that's friendly of them at least...
Yes, it's always good when the person extorting money from your organisation is polite. Rhysida seems to be keen to reassure its victims that their hands will be held during the recovery process:
"Rest assured, our team is committed to guiding you through this process. The journey to resolution begins with the use of the unique key. Together, we can restore the security of your digital environment.
If course, if they really cared maybe they wouldn't have stolen your data and encrypted your files in the first place.
So, what's the real threat here?
Well, if you don't have a secure backup of your company's data then you may have no other choice to negotiate with your extortionists to get back up-and-running again. If you do have a backup that works, then you not only have the hassle of restoring your systens, but you may also worry about the damage which could be done to your brand, your customer relationships, and partnerships if the Rhysida group follows through on its threats and publishes stolen data on the dark web.
Whatever choice you make, you still have the headache of determining precisely how the criminals managed to break into your computer systems and harden defences to prevent it from happening again.
So, how is Rhysida breaking into organisations?
From what has been seen so far, it appears a typical infection occurs after a phishing attack.
Something that unsophisticated, eh?
I'm afraid so. Phishing may not be rocket science, but for years it has worked perfectly well for cybercriminals. Why reinvent the wheel if the old version works just fine.
So, it't not doing anything that novel then?
No. Our advice is to follow the same best practice recommendations we have given on how to protect your organisation from other ransomware. Those include:
- making secure offsite backups.
- running up-to-date security solutions and ensuring that your computers are protected with the latest security patches against vulnerabilities.
- Restrict an attacker's ability to spread laterally through your organisation via network segmentation.
- using hard-to-crack unique passwords to protect sensitive data and accounts, as well as enabling multi-factor authentication.
- encrypting sensitive data wherever possible.
- reducing the attack surface by disabling functionality which your company does not need.
- educating and informing staff about the risks and methods used by cybercriminals to launch attacks and steal data.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.