Pierluigi Paganini
November 16, 2023
FBI and CISA published a joint Cybersecurity Advisory (CSA) to warn of Rhysida ransomware attacks against organizations across multiple industry sectors. The report is part of the ongoing #StopRansomware effort that disseminates advisories about tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with ransomware groups.
The report includes IOCs and TTPs identified through investigations as recently as September 2023.
The Rhysida ransomware group has been active since May 2023, according to the gang’s Tor leak site, at least 62 companies are victims of the operation.
The ransomware gang hit organizations in multiple industries, including the education, healthcare, manufacturing, information technology, and government sectors. The victims of the group are “targets of opportunity.”
“Threat actors leveraging Rhysida ransomware are known to impact “targets of opportunity,” including victims in the education, healthcare, manufacturing, information technology, and government sectors. Open source reporting details similarities between Vice Society (DEV-0832)[1] activity and the actors observed deploying Rhysida ransomware.” reads the joint advisory. “Additionally, open source reporting[2] has confirmed observed instances of Rhysida actors operating in a ransomware-as-a-service (RaaS) capacity, where ransomware tools and infrastructure are leased out in a profit-sharing model. Any ransoms paid are then split between the group and the affiliates.”
Rhysida actors have been observed leveraging external-facing remote services (e.g. VPNs, RDPs) to gain initial access to the target network and maintain persistence. The group relied on compromised credentials to authenticate to internal VPN access points. According to the advisory, the threat actors have been observed exploiting Zerologon (CVE-2020-1472) in Microsoft’s Netlogon Remote Protocol in phishing attempts.
The group relies on living off-the-land techniques such as native (built into the operating system) network administration tools to perform malicious operations. Below is the list of tools used by the group for its activities:
| Name | Description |
| cmd.exe | The native command line prompt utility. |
| PowerShell.exe | A native command line tool used to start a Windows PowerShell session in a Command Prompt window. |
| PsExec.exe | A tool included in the PsTools suite used to execute processes remotely. Rhysida actors heavily leveraged this tool for lateral movement and remote execution. |
| mstsc.exe | A native tool that establishes an RDP connection to a host. |
| PuTTY.exe | Rhysida actors have been observed creating Secure Shell (SSH) PuTTy connections for lateral movement. In one example, analysis of PowerShell console host history for a compromised user account revealed Rhysida actors leveraged PuTTy to remotely connect to systems via SSH [T1021.004]. |
| PortStarter | A back door script written in Go that provides functionality for modifying firewall settings and opening ports to pre-configured command and control (C2) servers.[1] |
| secretsdump | A script used to extract credentials and other confidential information from a system. Rhysida actors have been observed using this for NTDS dumping [T1003.003] in various instances. |
| ntdsutil.exe | A standard Windows tool used to interact with the NTDS database. Rhysida actors used this tool to extract and dump the NTDS.dit database from the domain controller containing hashes for all Active Directory (AD) users.Note: It is strongly recommended that organizations conduct domain-wide password resets and double Kerberos TGT password resets if any indication is found that the NTDS.dit file was compromised. |
| AnyDesk | A common software that can be maliciously used by threat actors to obtain remote access and maintain persistence [T1219]. AnyDesk also supports remote file transfer. |
| wevtutil.exe | A standard Windows Event Utility tool used to view event logs. Rhysida actors used this tool to clear a significant number of Windows event logs, including system, application, and security logs [T1070.001]. |
| PowerView | A PowerShell tool used to gain situational awareness of Windows domains. Review of PowerShell event logs identified Rhysida actors using this tool to conduct additional reconnaissance-based commands and harvest credentials. |
The advisory includes mitigations for network defenders along with indicators of compromise (IoCs).
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ransomware)
