The group, known as Rhysida, is notorious for its "ransomware as a service" operations, a process by which the group leases its malware to cybercriminals and receives a share of all proceeds from ransom payments.
The malware deployed by Rhysida and other similar gangs usually renders the computers of targeted organizations inaccessible by infecting them with malicious software and then demanding a ransom, often in cryptocurrency, to unlock the files. In other instances, a tactic known as "double extortion" also exists, wherein gangs also steal data and threaten to release it online to increase pressure on their victims. (Related: Ransomware attack on blood bank forces hundreds of hospitals in southeastern U.S. to activate blood shortage protocols.)
These gangs often leave their "calling card" in a brand name attached to encrypted file names.
According to American cybersecurity firm Secureworks, Rhysida emerged from a criminal operation established in 2021, previously known as Gold Victor, which operated a ransomware scheme called Vice Society. Rebranding is common among ransomware gangs when their existing "brand" becomes too notorious.
In line with this, Rhysida announced the hacking of The Washington Times on Aug. 13 in a post on its site on the dark web. The group declared that day that the information would be sold to the highest bidder in one week.
"With just seven days on the clock, seize the opportunity to bid on exclusive, unique, and impressive data," Rhysida posted. "Open your wallets and be ready to buy exclusive data. We sell only to one hand, no reselling, you will be the only owner!"
The starting price for the data has been set at five bitcoins, which as of press time is worth approximately $296,259. The group did not provide specific details on the contents of the stolen data, but a screenshot posted by Rhysida to prove the data breach included scans of several documents, including a Social Security card and a driver's license from Texas.
The ransom notes, titled "CriticalBreachDetected," provided a unique code and instructions to contact the group via a specialist web browser that makes communications untraceable. Cybersecurity analyst Dominic Alvier notes that the screenshot provided by Rhysida did not contain critical data beyond personal information likely linked to an employee.
In November 2023, the Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency and the MultiState Information Sharing and Analysis Center released a joint cybersecurity advisory (CSA) warning that Rhysida has been targeting organizations in various sectors, including education, healthcare, manufacturing, information technology and even the government since May 2023.
Agencies have reported that Rhysida and affiliated gangs gain access to systems via virtual private networks or phishing attacks. Once inside, they typically remain undetected for long enough to steal confidential data from their servers.
"Rhysida actors have been observed leveraging external-facing remote services to initially access and persist within a network," the CSA states. "Remote services, such as virtual private networks (VPNs), allow users to connect to internal enterprise network resources from external locations. Rhysida actors have commonly been observed authenticating to internal VPN access points with compromised valid credentials [T1078], notably due to organizations lacking MFA enabled by default."
"Additionally, actors have been observed exploiting Zerologon (CVE-2020-1472)—a critical elevation of privileges vulnerability in Microsoft’s Netlogon Remote Protocol [T1190]—as well as conducting successful phishing attempts [T1566]," the CSA further stated.
Check out Glitch.news for more stories about cyberattacks.
Watch this video about blood bank OneBlood getting hit by ransomware attack, impacting its systems and affecting the distribution of blood to patients.
This video is from the Daily Videos channel on Brighteon.com.
North Korean hacker indicted for hacking, stealing military secrets.
Cyber extortion: AT&T agreed to pay hacker about $400,000 to erase stolen sensitive data.
Software provider CDK Global HACKED, paralyzing over 15,000 car dealerships across America.
Massive cyberattack hits U.S. Big PHarma leaving tens of thousands of prescriptions unfilled.
Sources include:
CISA.gov [pdf]