Vorlon Blog

Rhysida Ransomware: A Sinister Crawl from the Undergrowth | Vorlon Blog: Bite sized breaches

Written by Lauren Lee | Aug 15, 2023 7:00:00 AM

Introduction

You've heard of centipedes, but have you heard of Rhysida? No, we're not talking about the creepy-crawly insect. We're diving into the world of Rhysida ransomware, a new and menacing cyber threat that's slithering its way into organizations worldwide. Buckle up, as we unravel the tactics, victims, and what you can do to protect yourself from this digital centipede.

The Rhysida Ransomware: What's the Buzz?

Rhysida emerged in May 2023 as a ransomware-as-a-service (RaaS) group, and it's been making waves ever since. Named after the Rhysida genus of centipede, this group is anything but slow. They deploy their ransomware via phishing attacks and Cobalt Strike, threatening to publicly distribute exfiltrated data if the ransom isn't paid.

But what makes Rhysida stand out? It's still in its early stages, but it's already showing its fangs. The ransomware leaves PDF notes on affected folders, claiming that they are “cybersecurity team Rhysida” and instructing victims to pay in Bitcoin. And the sectors they're targeting? Education, government, manufacturing, and technology. They've even started eyeing the Healthcare and Public Health sector.

The Victims: Who's Been Bitten?

Rhysida's victims are spread across Western Europe, North and South America, and Australia.

But let's zoom in on some of the big names:

Chilean Government:

On May 27, the Chilean Army's systems were hit by a security breach. They quickly isolated the network and called in the experts to start fixing things up. But guess what? Local media reported that an Army corporal got arrested and charged for his involvement in the attack. Talk about an inside job!

Now, Rhysida is claiming they've got their virtual hands on some of the Chilean Army's documents, and they've leaked about 30% of them online. That's around 360,000 documents.

Prospect Medical Group:

The California-based medical group was hit hard by ransomware on August 3. 17 hospitals, 166 outpatient clinics and other practices across several states are still recovering. Can you imagine? The internet, email, and even electronic health records were down, and medical staff were forced to go old school with paper charts. It's like a blast from the past, but not in a fun way.

 

While the attack hasn't officially been pinned on Rhysida, the whispers are that they might be the culprits. It just goes to show, big healthcare organizations can be a juicy target for ransomware.

Unfortunately, Rhysida's appetite isn't limited to governments and medical groups. They've also feasted on the education, manufacturing, and technology sectors, with education having the most victims. 

Rhysida's Tactics: Slithering into Systems

Rhysida's tactics are as cunning as a centipede's movement. They exploit known vulnerabilities through phishing campaigns and deploy payloads across compromised systems. Once inside, they run a process that scans files, encrypts them, and changes the file extension to “.rhysida.”

They then leave a ransom note named "CriticalBreachDetected.pdf." 

But they're not just after your money; they threaten to publicly share your stolen data too!  It's a double-whammy, a one-two punch of encryption and extortion. They're not just content to lock up your files; they want to hang them out for the world to see if you don't comply.

What's more, Rhysida's ransomware is still growing, like a centipede adding more legs. It's evolving and adapting, making it a tricky pest to deal with. The malware uses the ChaCha20 algorithm, and while it's missing some features that other ransomware strains have, it's evolving. It's like a creature adapting to its environment, learning new ways to survive and thrive.

Safeguarding Against Rhysida: Building a Fortress

Feeling the creepy crawlies yet? Don't worry; there are ways to build a fortress against Rhysida:

Virtual Patching: This is like putting a band-aid on weak spots in your computer system to keep Rhysida from getting in.

Phishing Awareness Training: Teach your team how to spot fake emails and links that Rhysida might use to trick them.

Endpoint Security Solutions: Keep a constant watch on all the doors and windows of your computer network to catch and stop any harmful software.

Immutable Backups: Make copies of your important files that can't be changed. This way, you can get your data back if Rhysida messes with it.

Network Segmentation: Think of this as putting up walls inside your computer network. If Rhysida gets in one room, it can't easily spread to others.

Firewalls and Intrusion Detection Systems: These are like security alarms that go off if they spot anything suspicious, helping to block Rhysida.

Blocking IOCs: Keep an eye out for specific warning signs (IOCs) linked to Rhysida, and block them. You can find a full list of these warning signs here.

Bottom Line

Rhysida is a stark reminder that the world of cybersecurity is ever-evolving. With its strong encryption techniques and double extortion tactics, it's a significant threat to organizations worldwide. Stay vigilant, keep your software updated, and remember: in this digital age, everyone is a potential target. Stay safe out there!