top of page
Search

Uncovering the Link Between Rhysida and Vice Society Ransomware Groups


The ever-evolving cyber threat landscape has witnessed the emergence of dual-threat ransomware groups strategically targeting sensitive sectors such as healthcare and education. Two particular groups garnering attention for their tactical similarities are Rhysida and Vice Society.


The collaborative relationship between these two groups has become clear through an analysis of their operational patterns. But it's worth mentioning that their connection doesn't signify they belong to the same branch, as Vice Society, also tracked under the name Storm-0832 by Microsoft, is known to deploy various ransomware payloads.


Vice Society distinguishes itself by leveraging pre-built ransomware binaries, readily available on criminal forums, to execute its nefarious activities. Its illicit operations usually involve a blend of traditional ransomware tactics and unadulterated extortion-style attacks, where stolen data is not necessarily encrypted.


Alternately, Rhysida, first spotted in May 2023, prefers relying on phishing attacks and using Cobalt Strike to infiltrate targeted networks and install its payloads. Rhysida has primarily affected victims in major countries like the U.S., U.K., Italy, Spain, and Austria.


To maneuver laterally within a compromised network, Rhysida utilizes remote desktop protocol (RDP) and remote PowerShell sessions, propelling its ransomware payload with PsExec. The group maintains command-and-control over the compromised network by deploying backdoors such as SystemBC and using remote management tools like AnyDesk.


Rhysida also ranks high in its meticulous approach to covering up its operations, consistently erasing logs, eliminating forensic evidence, and initiating an organization-wide password reset to hinder recovery efforts.


Although the sectors of education, government, manufacturing, and technology and managed service providers are their key targets, these threat actors also recently expanded their focus to the healthcare and public health sectors.


A spotlight on the activities of the two groups by the Israeli cybersecurity firm Check Point unveiled a significant overlap between Rhysida's emergence and the seemingly coincidental disappearance of Vice Society. These overlaps include specific operational methods such as the deployment of NTDSUtil, creation of localized firewall rules for SystemBC C2 communication, and the use of the commodity tool PortStarter, a typical Vice Society tool.


Further, both groups seem to have a common victimology pattern, with education sector targets constituting a significant portion of their operations, specifically 32% and 35% for Rhysida and Vice Society respectively.


The analysis underlines a somber reality. Despite the ever-changing terrain of cybersecurity, the tactics, techniques, and procedures employed by industrious ransomware actors largely remain the same. Threat actors are adept at exploiting a medley of remotely accessible management tools to orchestrate attacks.


This recent discovery follows closely on the heels of Sophos's identification of a cluster of ransomware attacks with notably similar characteristics associated with Hive, Royal, Black Basta, and Cactus. The group labels them as a "threat activity cluster" that can expedite detection and minimize potential damage for defenders.


The disturbing reality of these threats makes staying vigilant in cybersecurity paramount. By keeping abreast of the latest cybersecurity news, insights, and tips, you can fortify your defense against these ransomware assailants and mitigate potential damage.


At Darksteel Technologies, we are an Orlando based business that can handle all aspects of your IT security. Providing compliance, training, malware protection, cloud security, devsecops, vulnerability management, penetration testing, architecture design and any other information security requirement your business needs. We focus on your cybersecurity so you don't have to.

Comentários


Os comentários foram desativados.
bottom of page