Rhysida malware: a warning and a description.
By Tim Nodar, CyberWire senior staff writer
Nov 16, 2023

A ransomware-as-a-service operation makes its unfortunate presence felt.

Rhysida malware: a warning and a description.

The US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have released a joint Cybersecurity Advisory describing the Rhysida ransomware-as-a-service operation: “Rhysida actors have compromised organizations in education, manufacturing, information technology, and government sectors and any ransom paid is split between the group and affiliates. Rhysida actors leverage external-facing remote services, such as virtual private networks (VPNs), Zerologon vulnerability (CVE-2020-1472), and phishing campaigns to gain initial access and persistence within a network.”

Commodity attack tools remain dangerous, and shouldn’t be overlooked.

Fortinet has published an analysis of a Rhysida intrusion, noting, “The majority of the TTPs employed by the threat actor during this intrusion are typical for these types of ransomware intrusions, and no novel techniques were observed....While the threat actor may have had more sophisticated TTPs within their repertoire, in this case, they were able to achieve their outcomes using exclusively unsophisticated, known TTPs. As ransomware and extortion-based attacks continue to affect thousands of victims like this one across the globe every day, organizations should focus on ensuring they can detect more of the basic TTPs employed throughout this intrusion.”

The C2C market has lowered criminals’ barriers to entry.

Dror Liwer, co-founder of cybersecurity company Coro, wrote to say that even rookie criminals can be dangerous.  “Attack-as-a-service lowered the bar to executing sophisticated attacks in a way that even novices are now able to successfully participate in the criminal economy. As long as organizations pay a ransom, the ROI will be attractive enough for these criminals to continue their attacks.”