Unmasking the Connection: Rhysida Ransomware Connected to Vice Society

The new Rhysida ransomware group has emerged, wreaking havoc across multiple sectors within three months of its discovery. Its escalating victim count in industries ranging from education to manufacturing and, most recently, healthcare has piqued the interest of cybersecurity professionals diligently seeking to unveil the identities behind this menace.

One cybersecurity company has drawn parallels between the tactics used by the Rhysida ransomware and the notorious Vice Society. Over the past few years, this highly aggressive ransomware group has primarily targeted educational and healthcare organizations. In a recent report, researchers shed light on Rhysida’s transformation into a double-extortion threat, exfiltrating sensitive data before encrypting it, coinciding with Vice Society’s relative decline in activity.

Cybersecurity is witnessing a growing trend of threat groups reusing code and elements from earlier malware to bolster their malicious tools. According to a threat intelligence unit, this tactic allows groups like Rhysida to rapidly develop new ransomware variants by building on the work of previously exposed criminals.

A striking aspect of Rhysida’s recent operations is its targeting of the healthcare sector. It’s suggested that the attack on Prospect Medical Holdings, which affected numerous hospitals and clinics in the US, may have involved Rhysida. The US Health and Human Services Department has issued a warning, outlining Rhysida’s techniques and pointing to possible connections with Vice Society. The healthcare industry has increasingly fallen prey to ransomware attacks. A report by JAMA Network highlighted that between 2016 and 2021, the number of ransomware attacks on healthcare delivery systems doubled, exposing the personal health data of millions of patients.

Multiple studies on Rhysida’s methods have revealed that the group gains initial access through phishing and as a secondary payload from command-and-control (C2) frameworks such as Cobalt Strike. Once inside a compromised network, they utilize various tools for lateral movement, including Remote Desktop Protocol (RDP) and Remote PowerShell Sessions (WinRM). The ransomware is deployed using PsExec, a 4096-bit RSA key, and AES-CTR encryption.

The threat actors use several backdoors, including SystemBC and the legitimate remote management tool AnyDesk, to ensure persistence. They are adept at evading detection by deleting logs and forensic artifacts, and they even change domain passwords to hinder remediation efforts. The connection to Vice Society becomes more apparent as researchers delve deeper. Alongside targeting similar sectors, the researchers have analyzed information from leak sites, revealing a decline in Vice Society’s postings coinciding with Rhysida’s emergence. This shift raises questions about the Vice Society’s role in the rise of Rhysida.

Understanding the full attack process, from initial intrusion to final deployment, is critical in this era of cyber threats. By closely monitoring these activities, companies can fortify their defenses and potentially thwart future ransomware attacks, safeguarding vital sectors from the persistent threat of cybercriminals. At SpearTip, our certified engineers are working continuously at our 24/7/365 Security Operations Center, monitoring companies’ data networks for potential ransomware threats and ready to respond to incidents immediately. Our remediation team works to restore companies’ operations, isolate malware to reclaim their networks and recover business-critical assets.

Our pre-breach advisory services allow our engineers to examine companies’ security posture to improve weak points in their networks and engage with the people, processes, and technologies to measure the maturity of their technical environments. Our ShadowSpear Platform, an integrable managed detection and response tool, exposes sophisticated unknown and advanced ransomware threats with comprehensive insights through unparalleled data normalization and visualizations.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.