The actors of the threat behind the Rhysida ransomware engaged in opportunistic attacks targeting organizations spanning various industry sectors.
The advisory comes from the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
“Observed as a ransomware-as-a-service (RaaS) model, Rhysida actors compromise organizations in the education, manufacturing, information technology, and government sectors and any ransom payments are split between of group and affiliates,” the agencies. SAYS.
“Rhysida actors use external-facing remote services, such as virtual private networks (VPNs), Zerologon vulnerability (CVE-2020-1472), and phishing campaigns to gain initial access access and continuity within a network.”
First detected in May 2023, Rhysida used the time-tested tactic of double extortion, demanding a ransom payment to decrypt the victim’s data and threatening to publish the exfiltrated data unless paid. the ransom.
It is also said that share overlaps with another ransomware crew known as Vice Society (aka Storm-0832 or Vanilla Tempest), due to similar targeting patterns and the use of NTDSUtil as well as PortStarter, which is exclusively used by the latter.
According to statistics compiled by Malwarebytes, Rhysida claims five victims for the month of October 2023, it placed far behind LockBit (64), NoEscape (40), PLAY (36), ALPHV/BlackCat (29), and 8BASE (21).
The agencies described the group as engaging in opportunistic attacks to breach targets and exploiting live-off-the-land (LotL) techniques to facilitate later movement and establish VPN access. .
In doing so, the idea is to avoid detection by mixing up legitimate Windows systems and network activities.
Vice Society’s pivot to Rhysida is reinforced after new research published by Sophos earlier last week, which says it has observed the same threat actor using Vice Society until June 2023, in when it moved to deploy Rhysida.
The cybersecurity company tracked the cluster under the name TAC5279.
“Notably, according to the ransomware group’s data leak site, Vice Society has not posted a single victim since July 2023, which is when Rhysida began reporting victims on its site,” Sophos researchers said. Colin Cowie and Morgan Demboski SAYS.
The development comes as the BlackCat ransomware Gang attacks corporations and public entities using Google ads containing the Nitrogen malware, per eSentire.
“This affiliate takes Google ads promoting popular software, such as Advanced IP Scanner, Slack, WinSCP and Cisco AnyConnect, to attract business professionals to attack-controlled websites,” the company said. of cybersecurity in Canada.
Rogue installers, equipped with Nitrogen, which is an initial access malware capable of delivering next-stage payloads in a compromised environment, including ransomware.
“Known examples of ransomware-associated initial access malware that use browser-based attacks include GootLoader, SocGholish, BATLOADER, and now Nitrogen,” eSentire SAYS. “Interestingly, ALPHV has been observed as an end game for at least two of the initial access pieces of browser-based malware: GootLoader and Nitrogen.”
The ever-evolving nature of the ransomware landscape is further evidenced by the fact that 29 of the 60 currently active ransomware groups began operating this year, according to WithSecure, in part driven by sources. of code leaks on Babuk, Conti, and LockBit over the years. .
“Data leaks aren’t the only thing leading to older groups cross-pollinating with younger ones,” WithSecure SAYS in a report shared by The Hacker News.
“Ransomware gangs have staff like an IT company. And like an IT company, people change jobs sometimes, and bring their unique skills and knowledge with them. No like legitimate IT companies, however, there is nothing to prevent a cyber criminal from taking proprietary resources (such as code or tools) from one ransomware operation and using them for another. There is no honor between of thieves.”