Content

Events
About

Cyber security advisory warns of emerging ransomware variant Rhysida

Michael Hill | 11/16/2023

A new cybersecurity advisory has warned of the threats posed by emerging ransomware variant Rhysida. The advisory, published jointly by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), disseminates the known indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs) of the Rhysida ransomware operators. It also outlines the mitigative steps organizations should take to reduce the likelihood and impact of Rhysida. The guidance is based upon investigations carried out as recently as September 2023.

Rhysida targets victims of “opportunity” including education, healthcare and government sectors

Observed as a ransomware-as-a-service (RaaS) model, Rhysida actors have compromised organizations in education, manufacturing, information technology and government sectors, the advisory read. Any ransoms that are paid are split between the group and affiliates. Rhysida actors leverage external-facing remote services, such as virtual private networks (VPNs), the Zerologon vulnerability (CVE-2020-1472) and phishing campaigns to gain initial access and persistence within a network, the advisory added.

The legitimate tools Rhysida actors have repurposed for their operations include cmd.exe, PowerShell.exe, PuTTY.exe and PowerView, according to the advisory. “Organizations are encouraged to investigate and vet use of these tools prior to performing remediation actions,” it added.

Rhysida ransomware group known to engage in double-extortion

After mapping the network, the ransomware encrypts data using a 4096-bit RSA encryption key with a ChaCha20 algorithm. Rhysida actors are known to then engage in “double extortion” – demanding a ransom payment to decrypt victim data and threatening to publish the sensitive exfiltrated data unless the ransom is paid. “Rhysida actors direct victims to send ransom payments in Bitcoin to cryptocurrency wallet addresses provided by the threat actors. Rhysida ransomware drops a ransom note named “CriticalBreachDetected” as a PDF file – the note provides each company with a unique code and instructions to contact the group via a Tor-based portal.”

The contents of the ransom note are embedded as plain-text in the ransom binary, offering network defenders an opportunity to deploy string-based detection for alerting on evidence of the ransom note, according to the advisory. “Rhysida threat actors may target systems that do not use command-line operating systems. The format of the PDF ransom notes could indicate that Rhysida actors only target systems that are compatible with handling PDF documents.”

Known Rhysida IoCs include Onion Mail email accounts rhysidaeverywhere@onionmail[.]org and rhysidaofficial@onionmail[.]org for services or victim communication, the advisory read.

How to mitigate the threats posed by Rhysida ransomware

Organizations should implement the following mitigations to reduce the risk of falling victim to Rhysida ransomware and improve overall security posture, according to the advisory:

  • Require phishing-resistant multi-factor authentication (MFA) for all services to the extent possible
  • Disable command-line and scripting activities and permissions
  • Implement verbose and enhanced logging within processes
  • Restrict the use of PowerShell
  • Update Windows PowerShell or PowerShell Core to the latest version
  • Enable enhanced PowerShell logging
  • Restrict the use of remote desktop protocol (RDP) and other remote desktop services to known user accounts and groups
  • Keep all operating systems, software and firmware up-to-date
  • Identify, detect and investigate abnormal activity and potential traversal of indicated ransomware with a network monitoring tool
  • Implement time-based access for accounts set at the admin level and higher
  • Maintain offline backups of data
  • Ensure all backup data is encrypted and immutable

Sign up to Cyber Security Hub’s upcoming webinar All Access: Malware and Ransomware

Upcoming Events


15th Annual Automotive Cybersecurity Detroit 2025

March 11 - 13, 2025
The Henry Hotel, Dearborn, Michigan, US
Register Now | View Agenda | Learn More


Digital Identity Week

09 - 10 September, 2025
Sydney, Australia
Register Now | View Agenda | Learn More

MORE EVENTS