Last Week in Ransomware: 11.27.23

Written by
Halcyon Team
Published on
Nov 27, 2023

Last week in ransomware news we saw the FBI and CISA issue an advisory on Royal Ransomware, Ransomware Attacks on Healthcare are costing tens of billions, and a new security advisory on Rhysida operations...

Rhysida Ransomware Operations

In a joint effort to address the escalating threat posed by ransomware, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a comprehensive security advisory on the Rhysida and Royal ransomware operations.

Rhysida, identified as a Ransomware-as-a-Service (RaaS), first emerged in May 2023. The modus operandi of Rhysida actors involves leveraging external-facing remote services, such as virtual private networks (VPNs), to infiltrate and persist within a target network.  

The advisory highlights their utilization of compromised valid credentials to authenticate to internal VPN access points, often employing living-off-the-land techniques to blend in with normal Windows systems and network activities.

Rhysida has shown a propensity for data exfiltration, engaging in double extortion practices. Notably, they maintain both a leaks site and a victim support portal on TOR. The industries targeted by Rhysida span healthcare, education, government, manufacturing, and technology.  

Intriguingly, the operators disguise their activities as unauthorized penetration testing, purporting to be a cybersecurity team assisting victim organizations in identifying security issues.

The ransom demands issued by Rhysida remain undisclosed at this time, but the group has demonstrated an advanced RaaS offering. Their capabilities include advanced evasion techniques to bypass antivirus protection, the wiping of Volume Shadow Copies (VSS) to prevent encryption rollback, and the ability to modify Remote Desktop Protocol (RDP) configurations.

The gang has been observed deploying sophisticated tools like Cobalt Strike and abusing PSExec for lateral movement, further emphasizing their technical proficiency. Rhysida employs a 4096-bit RSA key and AES-CTR for file encryption.  

Notable victims include Pierce College, Ejercito de Chile, Axity, Ministry of Finance Kuwait, Prince George's County Public Schools, Ayuntamiento de Arganda City Council, and Comune di Ferrara.

While Rhysida has steadily increased its attack volume and expanded target industries, its impact is still modest compared to industry leaders. The group appears to be opportunistic attackers, sharing victimology similarities with Vice Society.


Ransomware's Impact on Healthcare

Separately, a report sheds light on the grim reality of ransomware attacks on healthcare organizations in the U.S. Since 2016, 539 known attacks have compromised over 52 million patient records, resulting in staggering network downtime losses of approximately $80 billion.  

Healthcare facilities, such as CommonSpirit Health, which suffered a ransomware attack in October 2022, bear the brunt of these attacks, with a minimum cost estimation of $160 million.

Ransomware operators, aware of the life-threatening consequences, leverage the disruption of crucial systems in healthcare to compel ransom payments. The report highlights the lack of conscience displayed by these groups, victimizing healthcare providers due to their perceived vulnerability.

The vulnerability of healthcare providers stems from their non-profit nature, operating on tight budgets and with limited staff for cybersecurity. The fragility of the healthcare system is evident, as seen in the demise of SMP Health following a disruptive ransomware attack.

Given the healthcare sector's attractiveness to ransomware operators, the report anticipates more regional providers falling victim to similar attacks. The urgency in the healthcare sector, where patients cannot afford delays in treatment, makes recovery times of three weeks or more a critical concern.


Royal Ransomware Operations: A Global Concern

Turning attention to another significant player in the ransomware landscape, the FBI and CISA issued a joint security advisory on the Royal ransomware operations. Since September 2022, Royal has targeted over 350 known victims worldwide, demanding ransom payments exceeding $275 million USD.

Royal's tactics involve disabling antivirus software, exfiltrating substantial amounts of data, and publishing victim data on a leak site if the ransom is not paid. The ransom demands range from approximately $1 million to $11 million USD in bitcoin.

Despite a slight reduction in activity in Q3 of 2023, Royal remains a concerning ransomware operation. The platform has expanded beyond Windows installations to include Linux systems and targets VMWare ESXi servers. Assessments indicate ongoing investment in development, with advanced security evasion and anti-analysis capabilities.

Royal employs various exploitation tactics, including the use of Nsudo, PowerShell, PCHunter, Process Hacker, GMER, or PowerTool, and batch scripts to evade security tools. The group targets critical infrastructure sectors, focusing on small to medium-sized organizations in manufacturing, communications, healthcare, and education.

Notable victims of Royal include the City of Dallas, Unisco, Curry County, Clarke County Hospital, Penncrest School District, ZooTampa, Silverstone Formula One Circuit, and Reventics LLC. The City of Dallas, in particular, suffered significant disruption to emergency services and critical operations, incurring a recovery cost exceeding $10 million.

the joint security advisories issued by the FBI and CISA highlight the escalating threat posed by ransomware operations, emphasizing the need for enhanced cybersecurity measures across industries.  

The reports underscore the devastating impact on organizations, ranging from financial losses to compromised patient data and critical infrastructure disruptions. As ransomware continues to evolve, the imperative for organizations to fortify their defenses and collaborate with cybersecurity agencies becomes increasingly urgent.

READ MORE HERE is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!

Let's get started
3 is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please tick below to say how you would like us to contact you:

You may unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

By clicking submit below, you consent to allow to store and process the personal information submitted above to provide you the content requested.