Industrial Control Systems Cyber Emergency Response TeamAA23-319A#StopRansomware: Rhysida Ransomware
Actions to take today to mitigate malicious cyber activity:
- Prioritize remediating known exploited vulnerabilities.
- Enable multifactor authentication (MFA) for all services to the extent possible, particularly for webmail, VPN, and accounts that access critical systems.
- Segment networks to prevent the spread of ransomware.
References
attack.mitre.org/versions/v14/
attack.mitre.org/versions/v14/techniques/T1003/003/
attack.mitre.org/versions/v14/techniques/T1003/003/
attack.mitre.org/versions/v14/techniques/T1016/
attack.mitre.org/versions/v14/techniques/T1016/
attack.mitre.org/versions/v14/techniques/T1018/
attack.mitre.org/versions/v14/techniques/T1018/
attack.mitre.org/versions/v14/techniques/T1021/001/
attack.mitre.org/versions/v14/techniques/T1021/001/
attack.mitre.org/versions/v14/techniques/T1021/004/
attack.mitre.org/versions/v14/techniques/T1021/004/
attack.mitre.org/versions/v14/techniques/T1033/
attack.mitre.org/versions/v14/techniques/T1033/
attack.mitre.org/versions/v14/techniques/T1055/002/
attack.mitre.org/versions/v14/techniques/T1055/002/
attack.mitre.org/versions/v14/techniques/T1059/001/
attack.mitre.org/versions/v14/techniques/T1059/001/
attack.mitre.org/versions/v14/techniques/T1059/003/
attack.mitre.org/versions/v14/techniques/T1059/003/
attack.mitre.org/versions/v14/techniques/T1069/001/
attack.mitre.org/versions/v14/techniques/T1069/001/
attack.mitre.org/versions/v14/techniques/T1069/002/
attack.mitre.org/versions/v14/techniques/T1069/002/
attack.mitre.org/versions/v14/techniques/T1070/001/
attack.mitre.org/versions/v14/techniques/T1070/001/
attack.mitre.org/versions/v14/techniques/T1070/004/
attack.mitre.org/versions/v14/techniques/T1070/004/
attack.mitre.org/versions/v14/techniques/T1078/
attack.mitre.org/versions/v14/techniques/T1078/
attack.mitre.org/versions/v14/techniques/T1087/002/
attack.mitre.org/versions/v14/techniques/T1087/002/
attack.mitre.org/versions/v14/techniques/T1112/
attack.mitre.org/versions/v14/techniques/T1112/
attack.mitre.org/versions/v14/techniques/T1190/
attack.mitre.org/versions/v14/techniques/T1190/
attack.mitre.org/versions/v14/techniques/T1219/
attack.mitre.org/versions/v14/techniques/T1219/
attack.mitre.org/versions/v14/techniques/T1482/
attack.mitre.org/versions/v14/techniques/T1482/
attack.mitre.org/versions/v14/techniques/T1486/
attack.mitre.org/versions/v14/techniques/T1486/
attack.mitre.org/versions/v14/techniques/T1564/003/
attack.mitre.org/versions/v14/techniques/T1564/003/
attack.mitre.org/versions/v14/techniques/T1566/
attack.mitre.org/versions/v14/techniques/T1566/
attack.mitre.org/versions/v14/techniques/T1587/
attack.mitre.org/versions/v14/techniques/T1587/
attack.mitre.org/versions/v14/techniques/T1657/
attack.mitre.org/versions/v14/techniques/T1657/
blog.talosintelligence.com/rhysida-ransomware/
blog.talosintelligence.com/rhysida-ransomware/
github.com/cisagov/Decider/
github.com/cisagov/Decider/
github.com/sophoslabs/IoCs/blob/master/2311%20Vice%20Society%20-%20Rhysida%20IoCs.csv
github.com/sophoslabs/IoCs/blob/master/2311%20Vice%20Society%20-%20Rhysida%20IoCs.csv
learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
learn.microsoft.com/en-us/windows/security/identity-protection/remote-credential-guard?tabs=intune
learn.microsoft.com/en-us/windows/security/identity-protection/remote-credential-guard?tabs=intune
learn.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-process-tracking
learn.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-process-tracking
learn.microsoft.com/en-us/windows/win32/fileio/master-file-table
learn.microsoft.com/en-us/windows/win32/fileio/master-file-table
learn.microsoft.com/en-us/windows/win32/fileio/master-file-table
msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472
msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472
news.sophos.com/en-us/2023/11/10/vice-society-and-rhysida-ransomware/
news.sophos.com/en-us/2023/11/10/vice-society-and-rhysida-ransomware/
nvd.nist.gov/vuln/detail/CVE-2020-1472
nvd.nist.gov/vuln/detail/CVE-2020-1472
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/
research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/
socradar.io/threat-profile-rhysida-ransomware/
socradar.io/threat-profile-rhysida-ransomware/
twitter.com/CISAgov
twitter.com/intent/tweet?text=%23StopRansomware%3A%20Rhysida%20Ransomware+https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a
www.cisa.gov/cpg
www.cisa.gov/cpg
www.cisa.gov/forms/report
www.cisa.gov/known-exploited-vulnerabilities-catalog
www.cisa.gov/known-exploited-vulnerabilities-catalog
www.cisa.gov/news-events/cybersecurity-advisories/aa22-249a-0
www.cisa.gov/news-events/cybersecurity-advisories/aa22-249a-0
www.cisa.gov/news-events/news/best-practices-mitre-attckr-mapping
www.cisa.gov/news-events/news/best-practices-mitre-attckr-mapping
www.cisa.gov/securebydesign
www.cisa.gov/securebydesign
www.cisa.gov/sites/default/files/2023-06/Guide%20to%20Securing%20Remote%20Access%20Software_clean%20Final_508c.pdf
www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf
www.cisa.gov/stopransomware
www.cisa.gov/stopransomware/stopransomware
www.cisa.gov/stopransomware/stopransomware
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a&title=%23StopRansomware%3A%20Rhysida%20Ransomware
www.fbi.gov/contact-us/field-offices
www.fortinet.com/blog/threat-research/ransomware-roundup-rhysida
www.fortinet.com/blog/threat-research/ransomware-roundup-rhysida
www.ic3.gov/
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a
www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/
www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/
www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/
www.oig.dhs.gov/
www.secplicity.org/2023/05/23/scratching-the-surface-of-rhysida-ransomware/
www.secplicity.org/2023/05/23/scratching-the-surface-of-rhysida-ransomware/
www.sentinelone.com/anthology/rhysida/
www.sentinelone.com/anthology/rhysida/
www.sentinelone.com/anthology/rhysida/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=%23StopRansomware%3A%20Rhysida%20Ransomware&body=www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a
Related
