New Ransomware Threat Rhysida Linked to Notorious Vice Society Actors
It’s only been three months since the Rhysida ransomware group was detected, but the rising number of victims it’s racked up in such industries as education, manufacturing, and, more recently, healthcare is drawing the attention of cybersecurity pros trying to uncover more information about the operators behind it.
One of those security firms, Check Point, this week noted similarities in techniques that more tightly tied Rhysida and Vice Society, a highly aggressive ransomware group over the past two years that has primarily targeted organizations in the education and healthcare sectors.
Check Point researchers in a report also said Rhysida’s rise as a ransomware and double-extortion threat – exfiltrating data rather than simply encrypting in and threatening to publish it if the ransom isn’t paid – corresponds to the relative disappearance of Vice Society from the scene.
“As Vice Society was observed deploying a variety of commodity ransomware payloads, this link does not suggest Rhysida is exclusively used by Vice Society, but show with at least medium confidence that Vice Society operators are now using Rhysida ransomware,” the researchers wrote
Rhysida’s rise also highlights the trend in the cybercriminal world of threat groups reusing code and other components from previous malware in their own malicious tools, according to Cisco’s Talos threat intelligence unit.
“There has been huge growth in the ransomware and extortion space, potentially linked to the plethora of leaked builders and source code related to various ransomware cartels,” Talos researchers wrote in their own report this week. “This is just another example of how these groups can now quickly develop their own ransomware variants by standing on the shoulders of those criminals who had their previous work exposed publicly.”
Targeting the Healthcare Sector
The Rhysida group has been busy since emerging in May, racking up victims in a broad array of sectors, including government and tech. Now healthcare is in the gang’s crosshairs, including indications that it was involved in the attack earlier this month on Prospect Medical Holdings, which Check Point said affected 17 hospitals and 166 clinics in the United States.
The US Health and Human Services (HHS) Department around the same time issued an eight-page alert about Rhysida, outlining its tactics and techniques and pointing to possible connections with Vice Society, including the targeting of the education sector. The agency noted that 38.4% of Vice Society’s attacks targeted that space, compared with 30% of Rhysida’s victims.
“Of note, Vice Society mainly targets both educational and healthcare institutions, preferring to attack small-to-medium organizations,” the alert said. “If there is indeed a linkage between both groups, then it is only a matter of time before Rhysida could begin to look at the healthcare sector as a viable target.”
The healthcare industry is becoming a target of a lot of ransomware groups. According to a JAMA Network report last year, the number of ransomware attacks on healthcare delivery systems doubled between 2016 and 2021, exposing the personal heath data of almost 42 million patients.
How Rhysida Operates
Multiple studies of Rhysida found that the threat group gains initial access to targeted system via a number of avenues, including phishing and being a secondary payload dropped by command-and-control (C2) frameworks like Cobalt Strike.
Once in, they use a number of tools to move laterally through a compromised network, including Remote Desktop Protocol (RDP) and Remote PowerShell Sessions (WinRM). Both Check Point and Trend Micro said the ransomware itself was deployed using PsExec (which lets the operators execute processes on other systems). Trend Micro noted that Rhysida uses a 4096-bit RSA key and AES-CTR to encrypt files.
The bad actors use multiple backdoors to ensure persistence, including SystemBC, a proxy malware, and AnyDesk, a legitimate remote management tool, and evade detection by deleting logs and forensic artifacts, according to Check Point. They also change domain passwords to slow down remediation operations. Trend Micro also pointed to a PowerShell script called “SILENTKILL” used to end antivirus processes and services, delete shadow copies, modify RDP configurations, and change Active Directory passwords.
The security firms also highlighted the phrasing in the ransom notes left behind, with the attackers identifying themselves as the “security team at Rhysida” alerting the victims that their systems were compromised.
Tactics, Techniques, and Vice Society
The connection to Vice Society, which has been raised before, become clearer as researchers dug deeper, according to Check Point. Many of the techniques, while used by many ransomware operators, were used in uncommon ways, including the tools used to create certain backups, creating a local firewall rule, and the domain-wide password change before the ransomware was deployed.
Along with the similarity in targets, the researchers used information on the leak sites of both groups to illustrated Vice Society’s fading presence once Rhysida came along. Since October 2022, Vice Society had keep a fairly consistent drumbeat of postings to its leak site. However, in May – when Rhysida appeared – the postings by Vice Society fell as Rhysida’s grew.
“Ever since Rhysida first appeared, Vice Society has only published two victims,” they wrote. “It’s likely that those were performance earlier and were only published in June. Vice Society actors stopped posting on their leak site since June 21, 2023.”