Tactical similarities have been unearthed between the double extortion ransomware group known as Rhysida and Vice Society, including in their targeting of education and healthcare sectors.
“As Vice Society was observed deploying a variety of commodity ransomware payloads, this link does not suggest that Rhysida is exclusively used by Vice Society, but shows with at least medium confidence that Vice Society operators are now using Rhysida ransomware,” Check Point said in a new report.
Vice Society, tracked by Microsoft under the name Storm-0832, has a pattern of employing already existing ransomware binaries that are sold on criminal forums to pull off their attacks. The financially motivated gang has also been observed resorting to pure extortion-themed attacks wherein the data is exfiltrated without encrypting them.
First observed in May 2023, the Rhysida ransomware group is known to rely on phishing attacks and Cobalt Strike to breach targets’ networks and deploy their payloads. A majority of its victims are based in the U.S., the U.K., Italy, Spain, and Austria.
Lateral movement is facilitated using remote desktop protocol (RDP) and remote PowerShell sessions, while the ransomware payload is deployed using PsExec. Command-and-control is achieved by means of backdoors like SystemBC and remote management tools such as AnyDesk.
The attack chains are also notable for consistently erasing logs and forensic artifacts to cover their trail and initiating a domain-wide password change to inhibit remediation efforts.
“They primarily attack education, government, manufacturing, and technology and managed service provider sectors; however, there have been recent attacks against the Healthcare and Public Health (HPH) sector,” the U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center said in an alert last week.
The latest findings from the Israeli cybersecurity firm have revealed a “clear correlation” between the emergence of Rhysida and the disappearance of Vice Society.
This comprises the use of NTDSUtil, the creation of local firewall rules to enable C2 communications via SystemBC, and the utilization of a commodity tool called PortStarter, which has been linked almost exclusively to Vice Society.
“Ever since Rhysida first appeared, Vice Society has only published two victims,” Check Point said. “It’s likely that those were performed earlier and were only published in June. Vice Society actors stopped posting on their leak site since June 21, 2023.”
The other major indicator is the commonality in their victimology footprints. Both Rhysida and Vice Society have disproportionately targeted the education vertical, accounting for 32% and 35% of the overall distribution, respectively.
“Our analysis of Rhysida ransomware intrusions reveals clear ties between the group and the infamous Vice Society, but it also reveals a grim truth – the TTPs of prolific ransomware actors remain largely unchanged,” the company said.
“From the usage of remote management tools such as AnyDesk to the deployment of ransomware through PsExec, threat actors leverage a variety of tools to facilitate such attacks.”