IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Feds Issue Warning on Ransomware Group Targeting Public Sector

The FBI and CISA, along with the MS-ISAC, issued a joint advisory explaining Rhysida ransomware actors’ known tactics, techniques and procedures and indicators of compromise — and ways to better defend.

Hands typing on a laptop in a dark room. The laptop screen shows a dark background with lines of green code.
Shutterstock
Federal officials issued a warning yesterday about the threat of Rhysida ransomware, which has made itself known since May 2023 through attacks on education, government, health care and several other sectors.

The joint advisory from the Cybersecurity and Infrastructure Security Agency (CISA), FBI and Multi-State Information Sharing and Analysis Center (MS-ISAC) identified the threat actors’ known methods and steps organizations can take now to better protect themselves.

Rhysida perpetratorsconduct double extortion, demanding victims pay bitcoins to regain access to their data and avoid having it published online or otherwise exposed.

Rhysida’s purported victims include Washington state’s Pierce College as well as Texas’ Stephen F. Austin University and Lumberton Independent School District. Vice Society — a frequent threat to schools, including the Los Angeles Unified School District (LAUSD) — also appears likely to have used Rhysida ransomware, per federal agencies.

Rhysida has been seen used in a ransomware-as-a-service model, in which the ransomware developers lease out the malware to affiliates who conduct the attacks, with both parties sharing the ransom payment.

INITIAL ACCESS


Rhysida often gains entry to victims’ systems by using compromised credentials to access external-facing remote services like VPNs, the advisory said. The threat actors have also been known to use phishing and custom-made tools to gain access.

Rhysida actors also have been seen exploiting Zerologon, a “critical elevation of privilege vulnerability” that affects Windows servers. Per CSO Online, the vulnerability compromises a remote procedure call interface used to authenticate users and computers on domain-based networks: “In particular, the vulnerability allows an attacker to impersonate any computer to the domain controller and change their password, including the password of the domain controller itself. This results in the attacker gaining administrative access and taking full control of the domain controller and therefore the network.”

Several defensive measures are available.

For one, Microsoft issued a Zerologon patch in August 2020; organizations that haven’t adopted it should. In general, keeping firmware, operating systems and software updated is a best practice.

Organizations can also mitigate dangers of compromised credentials by making phishing-resistant multifactor authentication (MFA) a requirement, especially for VPN and webmail accounts and accounts that access critical systems. And entities can further limit the potential damage dealt by hackers who do gain access to accounts by adopting the principle of least privilege and restricting users to only the minimum access privileges necessary for their job. That can include limiting access to high-level accounts to only as much time as users need to complete specific tasks and otherwise disabling those accounts, per the advisory.

The advisory also recommends securing remote access tools and limiting use of remote desktop services to known accounts and groups.

Disabling hyperlinks sent in emails and adding banners to flag emails received from outside the organization can further reduce chances of employees falling to phishing.

EXPANSION AND ATTACK


Rhysida actors have been found using legitimate tools to better hide their activities as they work to gain access, learn about and spread through systems and execute code. Per the advisory, that can include “creating Remote Desktop Protocol (RDP) connections for lateral movement, establishing VPN access, and utilizing PowerShell.”

The advisory lists a variety of legitimate tools the threat actors have used but reminds organizations to investigate before assuming a specific instance of use is malicious. After all, these tools also have benign purposes, too, which is exactly what living-off-the-land attacks look to exploit.

Rhysida maps the victim’s network, then encrypts data, before announcing extortion demands.

Organizations can prepare by taking steps like “disable[ing] command-line and scripting activities and permissions” to hinder hackers’ efforts to escalate their privileges and move laterally, restrict[ing] the use of PowerShell using Group Policy and only grant[ing] access to specific users on a case-by-case basis,” and segmenting networks to block ransomware from spreading, per the advisory.

Network monitoring tools can also detect unusual activity that might indicate an attack in progress and help trace how the ransomware is spreading. Cyber experts have said that monitoring for abnormal behavior can help detect when legitimate tools are being used maliciously.

Strong backup strategies can further minimize the damage of encryption attacks, helping victims restore systems and data without paying. Officials advise storing multiple copies of sensitive data in “a physically separate, segmented and secure location,” regularly maintaining offline backups and ensuring backups are immutable and encrypted.

Strong logging practices also help organizations investigate what happened during an incident.

The advisory further invites organizations to review how Rhysida’s observed methods map to MITRE ATT&CK techniques and evaluate how their current security controls would perform against these.

ENCOURAGING REPORTING


Federal officials are looking to learn more about the group, and request organizations share what they can. Per the advisory:

“FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Rhysida actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. Additional details requested include: a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host and network-based indicators.”

Read more here: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a
Jule Pattison-Gordon is a senior staff writer for Governing and former senior staff writer for Government Technology, where she'd specialized in cybersecurity. Jule also previously wrote for PYMNTS and The Bay State Banner and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.