“Observed in the ransomware-as-a-service (RaaS) model, Rhysida actors have hacked entities in education, production, both of information technology, and governments, and any ransom paid is split across the group and affiliates,” the organizations said.
“Rhysida actors leverage external-facing remote services, such as virtual private networks (VPNs), Zerologon vulnerability (CVE-2020-1472), and phishing campaigns to gain initial access and persistence within a network.”
Rhysida, which was first discovered in May 2023, employs the tried-and-true method of double extortion, threatening to publish the stolen data unless a ransom is paid in order to decrypt the victim’s data.
Additionally, it is believed to have similarities with the Vice Society ransomware group (also known as Storm-0832 or Vanilla Tempest) due to their shared use of NTDSUtil and PortStarter, which the latter group has only used.
Rhysida has claimed five victims in October 2023, according to statistics collated by Malwarebytes. This puts it well behind LockBit (64), NoEscape (40), PLAY (36), ALPHV/BlackCat (29), and 8BASE (21).
According to the agencies, the group used living-off-the-land (LotL) tactics to enable lateral movement and create VPN access, in addition to opportunistic attacks to breach targets.
Vice Society’s pivot to Rhysida has been bolstered in the wake of new research published by Sophos earlier last week, which said it observed the same threat actor using Vice Society up until June 2023, when it switched to deploying Rhysida.
The cybersecurity company is tracking the cluster under the name TAC5279.
“Notably, according to the ransomware group’s data leak site, Vice Society has not posted a victim since July 2023, which is around the time Rhysida began reporting victims on its site,” Sophos researchers Colin Cowie and Morgan Demboski said.
The development comes as the BlackCat ransomware Gang is attacking corporations and public entities using Google ads laced with Nitrogen malware, per eSentire.
“This affiliate is taking out Google ads promoting popular software, such as Advanced IP Scanner, Slack, WinSCP and Cisco AnyConnect, to lure business professionals to attacker-controlled websites,” the Canadian cybersecurity company said.
The rogue installers, which come fitted with Nitrogen, which is an initial access malware capable of delivering next-stage payloads onto a compromised environment, including ransomware.
“Known examples of ransomware-associated initial access malware that leverage browser-based attacks include GootLoader, SocGholish, BATLOADER, and now Nitrogen,” eSentire said. “Interestingly, ALPHV has been observed as an end-game for at least two of these browser-based initial access pieces of malware: GootLoader and Nitrogen.”
According to WithSecure, 29 of the 60 active ransomware groups started operating this year, which is further evidence of the constantly changing nature of the ransomware landscape. This trend has been aided by Babuk, Conti, and LockBit’s source code leaks over the years.
According to a WithSecure report shared with The Hacker News, “data leaks aren’t the only thing that leads to older groups cross-pollinating younger ones.””Just like an IT company, ransomware gangs have employees. Additionally, just like in an IT company, employees occasionally switch jobs, bringing their special talents and expertise with them. However, there is nothing stopping a cybercriminal from stealing proprietary resources (like tools or code) from one ransomware operation and using it at another, unlike legitimate IT companies. Among thieves, honor does not exist.”
IF YOU WANT TO JOIN A COURSE VISIT OUR WEBSITE http://www,cryptus.in
