The Rhysida ransomware group, a recent addition to the growing threat landscape, has been implicated in a string of high-impact attacks since its emergence in May this year and linked to Vice Society, a known ransomware group that has been highly active since 2021.
Among Rhysida’s targets are the Chilean Army and Prospect Medical Holdings. A recent attack by the group affected 17 hospitals and 166 clinics in the United States.
According to a new advisory published on Tuesday by the Check Point Incident Response Team (CPIRT) and Check Point Research (CPR), the US Department of Health and Human Services, Rhysida has been officially labeled as a significant threat to the healthcare sector.
The security experts’ recent analysis also uncovered striking similarities in techniques, tactics and tools (TTPs) used by both Rhysida and Vice Society. The research suggests that the latter group may have adopted Rhysida as one of its preferred ransomware payloads. The shared focus on education and healthcare sectors further solidifies this link.
The tactics deployed by Rhysida and Vice Society included remote desktop protocol (RDP) connections, remote PowerShell sessions (WinRM) and the use of tools like PsExec for lateral movement.
The attackers demonstrated advanced defense evasion capabilities, deleting logs and forensic artifacts to hinder detection and analysis. Notably, Rhysida’s ransomware payload deployment took only eight days from initial lateral movement to widespread deployment.
The analysis also revealed a possible shift in Vice Society’s activity timeline, with the emergence of Rhysida coinciding with a decline in Vice Society’s actions.
The Check Point research highlights the necessity of understanding not only ransomware payloads but the entire attack process, from initial intrusion to final deployment. Monitoring these activities closely can potentially aid in thwarting future ransomware attacks and safeguarding critical sectors from cyber-threats.