Cybersecurity experts warn against Rhysida hacking group

© Health Sector Cybersecurity Coordination Center

Federal cybersecurity experts are warning about a new hacker emerging in computer attacks around the world.

Rhysida became known in May 2023 as a new ransomware-as-a-service (RaaS) group that uses phishing emails and the program Cobalt Strick to attack computer networks, according to the Health Sector Cybersecurity Coordination Center (HC3) within the U.S. Department of Health and Human Services.

“The group threatens to publicly distribute the exfiltrated data if the ransom is not paid,” said a new sector alert published by HC3.

“Rhysida is still in early stages of development,” but advanced enough to launch attacks in Western Europe, North and South America, and Australia.

The group may be best known for an attack against the army of Chile. News reports stated Rhysida leaked documents they claimed were stolen from the Chilean army’s network.

“They primarily attack education, government, manufacturing, and technology and managed service provider sectors; however, there has been recent attacks against the health care and public health (HPH) sector,” the HC3 brief said.

Named for a genus of centipede, “Rhysida describes itself as a ‘cybersecurity team’ that aims to help victims highlight potential security issues and secure their networks,” according to HC3

Victims receive ransom notes threatening public disclosure of exfiltrated data. The ransom notes are written as PDF documents, one of the few potential clues about a group whose origins remain shadowy.

“This potentially provides some insight into the types of systems or networks that the threat group targets, as the presence of these ransom notes could indicate that the targeted systems have the capability to handle PDF documents,” the HC3 sector alert said.

Victims are instructed to pay in Bitcoin.

It appeared the United States, the United Kingdom, Italy, and Spain were the countries with the most targets so far. It appeared the group may be independent, showing no overt connections to existing ransomware operations.

However, some security researchers have alleged there is a relationship with the hacking group Vice Society, which targets small to medium-sized educational and health care organizations. “If there is indeed a linkage between both groups, then it is only a matter of time before Rhysida could begin to look at the healthcare sector as a viable target,” the HC3 sector alert said.

To bolster cybersecurity, HC3 recommended:

• Virtual patching to protect against known vulnerabilities in computer software.
• Phishing awareness training for all employees to help them recognize and avoid phishing attempts.
• Endpoint security solutions that check points of entry in computer netowrks.
• Immutable backups resistant to modification and deletion. “These backups guarantee that, despite the presence of such cyber risks, the restoration of data remains a feasible and efficient approach, thereby negating the necessity to comply with ransom requisitions,” the sector alert said.
• Network segmentation to limit the spread of ransomware within a network.
• Firewalls and intrusion detection systems to detect and block suspicious activity.
• Incident response plans to respond quickly to ransomware attacks.
• Limits on access rights of users and applications. Known as the least privilege principle, limiting access can stop ransomware from getting access needed to spread in a network or encrypt files.

“In only a short time, Rhysida has proven itself to be a significant threat to organizations worldwide,” the HC3 warning said.