- Hackers’ Dual Project: Vice & Rhysida - September 5, 2023
- U.S. Sailors of Chinese Descent Accused of Espionage - September 4, 2023
- Hacker Found Vulnerability That Puts the Data of 100,000 AirBnb Alike Business Users in Danger - September 4, 2023
Check Point Research has identified strategic parallels between the Rhysida and Vice Society ransomware factions and their preferred targets within the healthcare and education sectors. Notably, there is reasonable certainty that Vice Society is currently utilizing Rhysida ransomware in its operations.
The Vice Society collective, known as Storm-0832, has been operational since May 2021 and relies on pre-existing ransomware binaries procured from underground hacker forums for their attacks. The group initiates network access through compromised credentials or the exploitation of vulnerabilities leading to privilege escalation.
Conversely, the Rhysida ransomware group, initially spotted in May 2023, infiltrates targeted networks using phishing campaigns and employs Cobalt Strike for payload deployment. Most of Rhysida’s victims are concentrated in the United States, United Kingdom, Italy, Spain, and Austria.
The Rhysida hackers execute Lateral Movement strategies via Remote Desktop Protocol (RDP) and remote PowerShell sessions, while the ransomware payload is disseminated using the Windows PsExec utility. Command and Control (C2) operations are facilitated through tools such as the SystemBC backdoor and remote management software like AnyDesk.
A significant observation is the systematic erasure of logs and digital traces by both groups to obscure any indicators of intrusion, alongside the alteration of domain-wide passwords to impede remediation endeavors.
Decoding Connections: Rhysida Emergence and Vice Society’s Retreat
Check Point’s analysis draws a distinct correlation between the emergence of Rhysida and the diminishing activity of Vice Society. Notably, the employment of legitimate command-line tool NTDSUTil, the establishment of local firewall rules to permit communication with the C2 server via SystemBC, and the utilization of the exclusive PortStarter tool were highlighted.
Since its inception in May 2023, Rhysida has only posted two victims on its data leak platform. It is plausible that these victims were already known but only disclosed in June. Vice Society halted its leak site updates as of June 21, 2023.
Another noteworthy aspect is the consistent targeting of the education sector by both Rhysida and Vice Society, comprising 32% and 35% of their attacks, respectively.
The researchers underlined the persistent tactics employed by members of these groups, encompassing the use of remote management utilities like AnyDesk and the deployment of ransomware via PsExec.
In a previous report by Palo Alto Networks Unit 42, it was revealed that Vice Society assaulted 33 educational institutions in 2022, surpassing other ransomware groups. The group was acknowledged as “one of the most influential ransomware entities of 2022” by Palo Alto Networks. In total, they targeted organizations across healthcare, government, manufacturing, retail, and legal sectors.