Today, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint Cybersecurity Advisory (CSA), #StopRansomware: Rhysida Ransomware, to disseminate known Rhysida ransomware indicators of compromise (IOCs), detection methods, and tactics, techniques, and procedures (TTPs) identified through investigations as recently as September 2023.
Observed as a ransomware-as-a-service (RaaS) model, Rhysida actors have compromised organizations in education, manufacturing, information technology, and government sectors and any ransom paid is split between the group and affiliates. Rhysida actors leverage external-facing remote services, such as virtual private networks (VPNs), Zerologon vulnerability (CVE-2020-1472), and phishing campaigns to gain initial access and persistence within a network.
CISA, FBI, and MS-ISAC encourage organizations review the joint CSA for recommended mitigations to reduce the likelihood and impact of Rhysida and other ransomware incidents. For more information, see CISA’s #StopRansomware webpage, which includes the updated #StopRansomware Guide.