Rhysida ransomware is a dangerous cyber threat that has been disrupting organizations since May 2023. Known for its double extortion tactics, Rhysida encrypts files and exfiltrates sensitive data, pressuring victims to pay or face public exposure. It infiltrates networks through phishing emails, compromised credentials, and unpatched vulnerabilities, often deploying tools like Cobalt Strike to spread and establish control. This blog delves into how Rhysida operates, its methods of infiltration, and effective strategies organizations can adopt to protect their critical data from this evolving threat.
What is Rhysida ransomware?
Rhysida ransomware is a ransomware strain that emerged in May 2023 and operates under the Ransomware-as-a-Service (RaaS) model. It has gained notoriety for its aggressive tactics, particularly its use of double extortion techniques, where attackers not only encrypt victims’ data but also exfiltrate sensitive information and threaten to publish it unless a ransom is paid.
Rhysida ransomware is highly structured and sophisticated, capable of encrypting data using strong cryptographic algorithms to ensure files cannot be recovered without the decryption key. It is often deployed after attackers gain unauthorized access to systems, making it a serious threat to organizations of all sizes.
How Rhysida Ransomware Targets its Victims
Rhysida ransomware uses a combination of social engineering, technical vulnerabilities, and advanced tools to infiltrate enterprise networks effectively. Here’s how it achieves this:
- Phishing Attacks
Rhysida often starts with phishing emails containing malicious links or attachments. These emails are crafted to trick users into executing harmful payloads, giving attackers initial access to the system. - Exploitation of Remote Services
Vulnerabilities in Virtual Private Networks (VPNs) or Remote Desktop Protocols (RDPs) are exploited. Attackers leverage compromised credentials, often obtained through weak password management or the absence of multi-factor authentication (MFA), to access systems remotely. - Use of Cobalt Strike
Once inside, Rhysida deploys Cobalt Strike, a legitimate penetration testing tool misused to maintain persistence and move laterally within the network. - PowerShell Scripting
Scripts like SILENTKILL are used to disable antivirus solutions, delete system backups (shadow copies), and alter Active Directory passwords, which disrupt defenses and secure attacker control. - Lateral Movement
Tools such as PsExec and other remote execution utilities enable attackers to spread the infection across the network. Additionally, tools like AnyDesk and WinSCP help in remote connections and file transfers. - Exploitation of Known Vulnerabilities
Attackers target known flaws such as ZeroLogon (CVE-2020-1472) for privilege escalation, allowing them to take control of critical systems. - Data Exfiltration
Before encryption, Rhysida operators steal sensitive data and upload it to command-and-control (C2) servers. This data is later used in their double extortion strategy, where victims are threatened with public exposure if they fail to pay the ransom.
Recent Rhysida Ransomware Attacks
Prospect Medical Holdings (August, 2023):
Rhysida claimed responsibility for a cyberattack that affected 17 hospitals and 166 clinics across the United States. The attackers exfiltrated approximately 1.3 terabytes of SQL database data and 1 terabyte of documents, including sensitive patient records and over 500,000 Social Security numbers. The attack forced the organization to revert to paper-based systems, significantly disrupting patient care.
British Library (2023)
Rhysida ransomware was responsible for a cyberattack on the British Library, one of the largest libraries in the world. While specific details about the data compromised were not disclosed, this attack highlighted the group’s focus on high-profile targets within significant public institutions.
Chilean Army (May, 2024)
Rhysida ransomware successfully infiltrated the Chilean Army through a phishing attack, leaking about 30% of the documents it claimed to have stolen from military systems. This breach highlighted the group’s capability to target high-profile governmental organizations.
City of Columbus, Ohio (August, 2024)
Rhysida ransomware stole approximately 3 terabytes of data from the City of Columbus, which included sensitive employee records and other confidential information. After the city refused to pay the ransom, the attackers dumped the stolen data onto the dark web, exposing personal information of numerous employees.
Sumter County Sheriff’s Office, Florida (August, 2024)
The Rhysida group breached the Sumter County Sheriff’s Office systems, compromising data belonging to around 150,000 citizens. The stolen data included sensitive information such as Social Security numbers and passport details. Rhysida demanded a ransom payment of 7 Bitcoin, valued at nearly half a million dollars.
Unimed Vales do Taquari e Rio Pardo (December, 2024)
Unimed, a healthcare cooperative in Brazil, became a victim of Rhysida ransomware. The group threatened to publish stolen data unless their ransom demands were met, giving the organization a deadline of seven days to comply.
How to Protect Critical Data from Rhysida Ransomware
Protecting your critical data from Rhysida ransomware requires a comprehensive strategy that combines proactive measures, advanced security solutions, and robust data backup practices. Below are key steps to safeguard your data:
1. Implement Air-Gapped and Immutable Backups
Air-gapped and immutable backups are essential for ransomware protection. StoneFly’s Air-Gapped Vault® provides a secure solution, ensuring that backups are physically and logically isolated from production environments. This prevents ransomware from accessing or encrypting the backups.
StoneFly’s patented storage solutions are both air-gapped and immutable, meaning your backups remain secure, unalterable, and protected from tampering or deletion by malicious actors. These features allow organizations to recover data quickly without paying a ransom.
2. Deploy Advanced Threat Detection
Use advanced tools to detect early signs of compromise:
- Threat Intelligence: Monitor for indicators of compromise associated with Rhysida, enabling proactive responses.
- Custom Rules: Set up detection rules for suspicious file activity and unauthorized data access attempts.
3. Enhance Backup Practices
- Regular Backups: Schedule frequent backups for critical systems and ensure they are verified for consistency.
- Backup Testing: Regularly test recovery processes, in sandbox environments, to ensure smooth and timely restoration during incidents without the risk of reinfection.
- Offline and Offsite Copies: Keep backup copies offline (air-gapped backups) or in geographically isolated locations for added security.
4. Strengthen Network and Endpoint Security
- Network Segmentation: Isolate critical systems from the rest of the network to limit the spread of ransomware.
- Endpoint Protection: Deploy solutions that detect and block malicious activities using behavioral analysis.
Conclusion
Rhysida ransomware exfiltrates sensitive data, before encrypting local copies, to use for double-extortion while disrupting critical operations. The group uses the Ransomware-as-a-Service (RaaS) model to make it more accessible for non-technical cybercriminals making it an ever-present cyberthreat that businesses must be prepared for.
The best way to prepare for Rhysida ransomware, or any other cyberthreat, is to integrate a combination of preventive and recovery measures. Air-gapped and immutable backups are the most reliable and robust means of ransomware protection making them a must-have.
Protect your critical data from Rhysida ransomware attacks with StoneFly’s air-gapped and immutable backup and DR solutions. Talk to our experts to discuss your projects today.
