Rhysida ransomware's tactics and techniques are similar to those of the infamous Vice Society ransomware gang. Experts suspect that Vice Society is using its own variant of ransomware.
Security researchers from the Threat Intelligence Department of Check Point® Software Technologies Ltd. (NASDAQ: CHKP) link the malware to a notorious ransomware gang. The procedures are the same in many ways, as Check Point's Incident Response Team reported. This doesn't mean that Vice Society is using the new ransomware exclusively, but probably mainly.
Attacks on health and education
Vice Society has been one of the most aggressive ransomware gangs since 2021, primarily targeting the education and healthcare sectors. In the US city of Los Angeles, it successfully attacked the Unified School District, which is the second largest of its kind in the US and includes over 640.000 students from kindergarten to 12th grade (high school). There are over 900 schools and 190 independent public schools (charter schools). Vice Society is known to sometimes change the ransomware payload, which suggests that it is now using Rhysida.
Rhysida ransomware’s capabilities include:
Remote Desktop Protocol: During the intrusion, the hackers initiated RDP connections and took steps to remove associated logs and registry entries, making detection and analysis difficult. RDP remains an effective approach to performing lateral movement within the IT environment.
Remote PowerShell Sessions (WinRM): While remotely connecting via RDP, the threat actor was observed initiating remote PowerShell connections to servers within the environment. This happened in the days before the ransomware payload was deployed.
PsExec: The ransomware payload itself was distributed using PsExec from a server within the IT environment. The deployment took place in two phases.
Copying the malicious payload using the command PsExec.exe -d
\\VICTIM_MACHINE -u "DOMAIN\ADMIN" -p "Password" -s cmd /c COPY "\\path_to_ransomware\payload.exe" "C:\windows\temp"
Executing the malicious payload using the command PsExec.exe -d
\\VICTIM_MACHINE -u "DOMAIN\ADMIN"" -p "Password" -s cmd /cc:\windows\temp\payload.exe.
Rhysida ransomware attacks since May 2023
The Rhysida ransomware was discovered in May 2023 and has since been blamed for various effective attacks, such as the attack against the Chilean army. In the United States of America (USA), it is allegedly behind an attack against Prospect Medical Holdings, affecting 17 hospitals and 166 clinics. The US Department of Health and Human Services subsequently declared Rhysida ransomware a “significant threat” to healthcare.
More at CheckPoint.com
About check point Check Point Software Technologies GmbH (www.checkpoint.com/de) is a leading provider of cybersecurity solutions for public administrations and companies worldwide. The solutions protect customers from cyberattacks with an industry leading detection rate for malware, ransomware and other types of attacks. Check Point offers a multi-level security architecture that protects company information in cloud environments, networks and on mobile devices, as well as the most comprehensive and intuitive “one point of control” security management system. Check Point protects over 100.000 businesses of all sizes.