New Report Exposes Vice Society’s Collaboration with Rhysida Ransomware
Tactical similarities have been unearthed between the double extortion ransomware group known as Rhysida and Vice Society, including in their targeting of education and healthcare sectors.
“As Vice Society was observed deploying a variety of commodity ransomware payloads, this link does not suggest that Rhysida is exclusively used by Vice Society, but shows with at least medium confidence that Vice Society operators are now using Rhysida ransomware,” Check Point said in a new report.
Vice Society, tracked by Microsoft under the name Storm-0832, has a pattern of employing already existing ransomware binaries that are sold on criminal forums to pull off their attacks. The financially motivated gang has also been observed resorting to pure extortion-themed attacks wherein the data is exfiltrated without encrypting them.
First observed in May 2023, the Rhysida ransomware group is known to rely on phishing attacks and Cobalt Strike to breach targets’ networks and deploy their payloads. A majority of its victims are based in the U.S., the U.K., Italy, Spain, and Austria.
Cisco Talos, in its own advisory of Rhysida, said the ransomware is dropped as secondary payloads from command-and-control frameworks, which are commonly delivered as part of traditional commodity malware.
“The group itself likes to pretend to be a cybersecurity organization,” the company said. “They claim to have compromised the company and are willing to help resolve the issue.”
Lateral movement is facilitated using remote desktop protocol (RDP) and remote PowerShell sessions, while the ransomware payload is deployed using PsExec. Command-and-control is achieved by means of backdoors like SystemBC and remote management tools such as AnyDesk.
The attack chains are also notable for consistently erasing logs and forensic artifacts to cover their trail and initiating a domain-wide password change to inhibit remediation efforts.
A Trend Micro report on Rhysida has also highlighted a PowerShell script dubbed SILENTKILL that’s used by the threat actor to terminate antivirus-related processes and services, delete shadow copies, modify remote desktop protocol (RDP) configurations, and change the active directory (AD) password.
“They primarily attack education, government, manufacturing, and technology and managed service provider sectors; however, there have been recent attacks against the Healthcare and Public Health (HPH) sector,” the U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center said in an alert last week.
The latest findings from the Israeli cybersecurity firm have revealed a “clear correlation” between the emergence of Rhysida and the disappearance of Vice Society.
This comprises the use of NTDSUtil, the creation of local firewall rules to enable C2 communications via SystemBC, and the utilization of a commodity tool called PortStarter, which has been linked almost exclusively to Vice Society.
“Ever since Rhysida first appeared, Vice Society has only published two victims,” Check Point said. “It’s likely that those were performed earlier and were only published in June. Vice Society actors stopped posting on their leak site since June 21, 2023.”
The other major indicator is the commonality in their victimology footprints. Both Rhysida and Vice Society have disproportionately targeted the education vertical, accounting for 32% and 35% of the overall distribution, respectively.
“Our analysis of Rhysida ransomware intrusions reveals clear ties between the group and the infamous Vice Society, but it also reveals a grim truth – the TTPs of prolific ransomware actors remain largely unchanged,” the company said.
“From the usage of remote management tools such as AnyDesk to the deployment of ransomware through PsExec, threat actors leverage a variety of tools to facilitate such attacks.”
The disclosure comes as Sophos identified “curiously” similar characteristics among a set of ransomware attacks associated with Hive, Royal, Black Basta, and Cactus, describing them as part of a “threat activity cluster” that defenders can use to speed up detection and limit damage.
(The article was updated after publication to include additional information about the ransomware strain from Cisco Talos and Trend Micro.)