#StopRasomware Offers Defensive Strategies for Rhysida Ransomware
CISA and the FBI have jointly issued a #StopRansomware advisory, providing insights into the tactics, techniques, and procedures (TTPs) employed by the Rhysida ransomware gang. Characterized as an opportunistic group, this ransomware entity has left its mark across various sectors, including education, government, healthcare, manufacturing, and technology. CISA's advisory reveals potential overlaps with the Vice Society ransomware gang, as actors affiliated with Vice Society have been "observed deploying Rhysida ransomware." The advisory offers a closer look at Rhysida's techniques related to initial access, living off the land, and their consolidated toolkit.
Rhysida actors demonstrate a proclivity for exploiting compromised credentials to infiltrate remote services and virtual private networks (VPNs), establishing an initial foothold in their targeted systems. Notably, they exploited the Zerologon vulnerability (CVE-2020-1472) even after Microsoft addressed it with a patch released over three years ago on August 11th, 2023, underscoring the importance of proper patch management. Aligned with most threat actors, Rhysida leverages native tools to advance their intrusion while maintaining a low profile. Binaries used include PowerShell, command prompt, ipconfig, whoami, nltest, and net, for command execution and reconnaissance. Lateral movement tactics involve the use of mstsc for RDP, PsExec, AnyDesk, and PuTTY.exe, while credential-gathering capabilities are executed through tools like secretsdump, Mimikatz, and ntdsutil.
CISA's advisory emphasizes the criticality of baselining network activity, recognizing abnormal patterns as key indicators of potential malicious activity. The importance of Multi-Factor Authentication (MFA) implementation is underscored to bolster authentication defenses, particularly when facing abuse of compromised credentials. Along with the mentioned need to patch against critical vulnerabilities. CISA regularly reports intelligence of commonly exploited vulnerabilities, to aid organizations in prioritizing patching.