Rhysida Ransomware Leaks Documents Stolen From Chilean Army

Cyber Security Threat Summary:
The group responsible for a recent ransomware operation named Rhysida has released online a set of documents they claim were stolen from the network of the Chilean Army (Ejército de Chile). After confirming a security incident on May 29, where their systems were compromised over the weekend of May 27, the Chilean Army took immediate action by isolating the network. Military security experts have begun the process of restoring the affected systems. The incident was promptly reported to Chile's Computer Security Incident Response Team (CSIRT), which operates under the Joint Chiefs of Staff and the Ministry of National Defense. Shortly after the disclosure of the attack, local media reported the arrest and charges filed against an Army corporal in connection with the ransomware attack.

SentinelOne reports that the Rhysida threat actors employ phishing attacks to breach their targets' networks, followed by the deployment of Cobalt Strike or similar command-and-control (C2) frameworks to distribute payloads across compromised systems. The analyzed malware samples indicate that the gang's malware utilizes the ChaCha20 algorithm and is still under development, lacking certain features commonly found in other ransomware strains. When executed, it initiates a cmd[.]exe window, scans the local drives, and encrypts the victims' files, subsequently dropping PDF ransom notes named CriticalBreachDetected[.]pdf. The victims are then directed to the gang's Tor leak portal, where they are instructed to enter the unique identifier provided in the ransom notes to obtain payment instructions. According to SentinelOne, the payloads lack several typical features found in current ransomware variants, such as VSS removal. However, the group adopts the modern approach of multi-extortion, threatening victims with the public release of exfiltrated data.

Security Officer Comments:
After initially announcing the attack and including the stolen data on their data leak site, the Rhysida ransomware group has now released approximately 30% of the total data they claim to have obtained from the Chilean Army's network. Germán Fernández, a security researcher from CronUp, reported that around 360,000 documents from the Chilean Army have been published by the Rhysida ransomware gang, with the remaining 70% yet to be disclosed. The Rhysida group presents itself as a "cybersecurity team" with the purported intention of assisting victims in securing their networks. The activities of this group were first detected by MalwareHunterTeam on May 17, 2023. Since then, the ransomware group has targeted eight additional victims, publishing all stolen files from five of them on their dark web data leak site.

Suggested Correction(s):
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.

Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk- based assessment strategy to drive your patch management program.

Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?

Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.

Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.

Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained how to avoid and spot phishing emails. Multi Factor authentication can help prevent malicious access to sensitive services.

Link(s):
https://www.bleepingcomputer.com/