Rhysida Ransomware Gang
| Actor Type | Criminal Group |
|---|
Rhysida operate a 'ransomware-as-a-service' offering which was reportedly first observed in May 2023. Ransomware attacks using Rhysida typically employ the 'double extortion' approach - stealing data before encrypting systems and data. The group then request payment for access to a decryption key and to prevent exposure/sale of the stolen data.
Rhysida has extorted at least dozens of victims across multiple sectors and geographies.
Reports suggest that the criminal operation behind Rhysida has actually been active since 2021, being previously tracked under the name 'Gold Victor', and linked to the Vice Society ransomware operation.
Cyber Threat Graph Context
Explore how this Intrusion Set relates to the wider threat graph
Rhysida Ransomware Gang Threat Reports
StopRansomware: Rhysida Ransomware
This is a joint Cybersecurity Advisory by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and ...
References
www.fortinet.com
https://www.fortinet.com/content/dam/fortinet/assets/threat-reports/rhysida-ransomware-intrusion.pdfwww.logpoint.com
https://www.logpoint.com/wp-content/uploads/2023/12/logpoint-etpr-rhysida.pdfwww.secureworks.com
https://www.secureworks.com/research/threat-profiles/gold-victorwww.fortinet.com
https://www.fortinet.com/blog/threat-research/ransomware-roundup-rhysidawww.theguardian.com
https://www.theguardian.com/technology/2023/nov/24/rhysida-the-new-ransomware-gang-behind-british-library-cyber-attackwww.logpoint.com
https://www.logpoint.com/en/blog/emerging-threats/uncovering-rhysida-and-their-activities/www.cisa.gov
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319awww.bl.uk
https://www.bl.uk/home/british-library-cyber-incident-review-8-march-2024.pdfMITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use by this intrusion set.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1486 | Data Encrypted for Impact | Impact |
| T1564.003 | Hidden Window | Defense Evasion |
| T1219 | Remote Access Software | Command and Control |
| T1069.002 | Domain Groups | Discovery |
| T1587 | Develop Capabilities | Resource Development |
| T1021.004 | SSH | Lateral Movement |
| T1657 | Financial Theft | Impact |
| T1112 | Modify Registry | Defense Evasion |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1087.002 | Domain Account | Discovery |
| T1021.001 | Remote Desktop Protocol | Lateral Movement |
| T1059.003 | Windows Command Shell | Execution |
| T1059.001 | PowerShell | Execution |
| T1033 | System Owner/User Discovery | Discovery |
| T1070.001 | Clear Windows Event Logs | Defense Evasion |
| T1069.001 | Local Groups | Discovery |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1016 | System Network Configuration Discovery | Discovery |
| T1566 | Phishing | Initial Access |
| T1482 | Domain Trust Discovery | Discovery |
| T1003.003 | NTDS | Credential Access |
| T1055.002 | Portable Executable Injection | Defense Evasion, Privilege Escalation |
| T1018 | Remote System Discovery | Discovery |
| T1070.004 | File Deletion | Defense Evasion |