Anatomy of a Rhysida Ransomware Group Attack: How to Avert and Mitigate Ransomware Attacks with a Balanced Approach

In May 2023, the Rhysida Ransomware Group emerged as a new and rapidly growing threat in the cybersecurity landscape. Operating as a Ransomware-as-a-Service (RaaS) model, Rhysida develops and manages ransomware while affiliates carry out the attacks. These attacks primarily target large organizations across various sectors, including healthcare, government, education, and manufacturing.

For instance, in June 2024, New Jersey City University was hit by a cyberattack from Rhysida, threatening to release sensitive personal data of students and staff unless a $700,000 ransom in Bitcoin was paid. Such attacks highlight the increasing sophistication and boldness of ransomware groups, raising critical questions: What can we learn from these incidents? And how can we protect our own organizations from similar threats?

In this article, we’ll break down the anatomy of a Rhysida ransomware attack, using straightforward language to help you understand how these attacks unfold. We’ll also explore the technical and human-centered opportunities available to organizations at each stage of the attack to prevent or mitigate damage. The key takeaway? Effective defense requires a whole-organization approach that balances both technical measures and human empowerment.

Understanding the Rhysida Ransomware Attack

Before diving into strategies, it’s important to understand the typical characteristics of a Rhysida ransomware attack:

• Double Extortion: Rhysida not only encrypts the victim's data but also exfiltrates it, threatening to publish the stolen data if the ransom isn’t paid.
• Sophisticated Phishing: The group often uses phishing emails that appear legitimate, impersonating trusted entities to trick recipients into revealing login credentials or installing malware. AI is increasingly used to improve the effectiveness of phishing emails.
• Exploitation of Vulnerabilities: Rhysida exploits known software or system vulnerabilities to gain access to credentials, often using tools like Mimikatz to extract hashed passwords from memory.
• Lateral Movement: Once inside the network, the attackers move laterally, using tools like PsExec or PowerShell to access additional systems and gather administrator-level credentials.
• Use of Legitimate Tools: Rhysida may use legitimate remote access tools like RDP to directly access systems, or employ brute force attacks to guess passwords, further compromising the network.

The Lifecycle of a Rhysida Attack and How to Counteract It

1. Before an Attack (Prevention)

Technical Opportunities:

• Phishing Protection: Implement advanced email filtering and anti-phishing tools to block phishing attempts. Use phishing-resistant multi-factor authentication (MFA) to secure critical accounts.
• Vulnerability Management: Regularly update and patch systems to close known vulnerabilities. Ensure robust network segmentation to isolate critical assets from the rest of the network.
• Access Controls: Limit the use of remote access tools like RDP and restrict administrative tools (e.g., PowerShell) to authorized users only, to reduce the attack surface.

Human-Centered Opportunities:

• Security-Engaged Culture: Rather than simply instructing employees, empower them. When security becomes a shared responsibility, employees are more vigilant and proactive, understanding that their actions directly impact the organization’s risk posture.
• Critical Thinking Training: Equip employees with skills to identify and resist sophisticated social engineering tactics, especially those powered by AI, which can outsmart technical security measures. Focus on critical thinking skills, like learning to detect logical fallacies.
• Cross-Functional Collaboration: Foster teams across departments to collaborate on identifying and mitigating risks. This ensures that diverse perspectives are considered, and everyone knows their role in the organization’s security strategy.

2. Initial Access

Technical Opportunities:

• Real-Time Monitoring: Deploy real-time monitoring and logging systems to detect suspicious activities such as unusual login attempts or unauthorized access to systems.
• Endpoint Security: Ensure robust endpoint protection that includes behavior-based detection to catch and isolate malicious activities at the earliest possible stage.

Human-Centered Opportunities:

• Incident Reporting Culture: Employees aren’t just encouraged to report suspicious activities—they’re empowered to do so. Knowing that they own part of the risk makes them more likely to take swift action, which can prevent an attacker from gaining a foothold.
• Simulated Phishing Exercises: Regularly conduct simulated phishing exercises to keep employees sharp and improve their ability to recognize increasingly sophisticated phishing attempts.

3. During Lateral Movement

Technical Opportunities:

• Network Segmentation: Maintain strong network segmentation to limit the attacker’s ability to move laterally across the network, isolating sensitive data and critical systems.
• Privilege Management: Enforce the principle of least privilege, ensuring that users only have access to the systems and data necessary for their roles. This limits the damage an attacker can do if they compromise an account.

Human-Centered Opportunities:

• Collaborative Defense: Encourage a culture where employees consult with security teams or peers if they notice anything unusual in their systems. Empowerment here means employees are not only expected to speak up but are equipped with the knowledge and authority to act.
• Empowered Decision-Making: Train and authorize frontline employees to take immediate action, such as disconnecting a compromised device from the network if they suspect malicious activity. They’re not just following a protocol—they understand the stakes and are ready to act.

4. During Encryption and Exfiltration

Technical Opportunities:

• Data Loss Prevention (DLP): Implement DLP tools to monitor and prevent unauthorized data exfiltration. These tools can detect and block unusual data transfers to external locations.
• Encryption Detection: Use specialized tools that can detect the early stages of unauthorized encryption and automatically respond by isolating affected systems.

Human-Centered Opportunities:

• Immediate Response Protocols: Employees should be trained to act quickly if they detect signs of data exfiltration or unauthorized encryption. They understand the potential impact of hesitating and are empowered to take decisive action.
• Critical Thinking: Equip employees with the ability to question unexpected data transfers or system behavior, recognizing these as potential signs of an ongoing attack. This isn’t just about following a checklist; it’s about understanding the broader implications of their actions.

5. During the Ransom Demand

Technical Opportunities:

• Ransomware Response Playbooks: Have a ransomware response playbook ready, which includes technical steps for containment, communication with stakeholders, and legal considerations for engaging with attackers.
• Incident Response Automation: Leverage automated tools to perform predefined actions, such as isolating infected systems, when a ransomware attack is detected.

Human-Centered Opportunities:

• Crisis Management: Empower crisis management teams with the authority and knowledge to handle ransom demands effectively. This includes engaging with legal, PR, and negotiation experts to minimize damage, knowing that their decisions carry significant weight.
• Communication Protocols: Establish clear communication protocols so that every employee knows who to contact and what steps to take if they receive a ransom note. The goal is to ensure that the response is swift, coordinated, and effective.

6. Post-Incident (Recovery and Hardening)

Technical Opportunities:

• Secure Backups: Maintain regular, offline, and encrypted backups of critical data. Ensure that these backups are tested regularly and can be quickly restored in the event of an attack.
• System Restoration: Have a well-documented and tested process for restoring systems from backups, minimizing downtime and data loss.

Human-Centered Opportunities:

• Post-Incident Analysis: Involve all relevant stakeholders in a thorough post-incident analysis to understand how the attack occurred and identify areas for improvement. This inclusive approach ensures that lessons learned are shared across the organization.
• Ongoing Education and Training: Continuously update training programs based on lessons learned from incidents, keeping employees aware of evolving threats and new security practices. Empowered employees are more likely to internalize and act on this knowledge.

Conclusion: A Holistic Approach to Cybersecurity

The Rhysida ransomware attacks underscore the need for a comprehensive, whole-organization approach to cybersecurity. By integrating both technical measures and human-centered strategies at each stage of a ransomware attack, organizations can build a robust, layered defense that not only reduces the likelihood of an attack succeeding but also minimizes the impact if one does occur.

This approach goes beyond traditional, centralized security functions. It’s about shifting the ownership of risk across the organization, empowering employees to participate actively in managing that risk. When everyone understands what’s at stake and knows they have the authority to act, security becomes a shared responsibility. This collective vigilance transforms cybersecurity from a siloed function into a core organizational value, making the entire organization stronger and more resilient in the face of evolving threats.

About the Author

Sonya Lowry is the creator of Federated Cyber-Risk Management (FCR), a revolutionary approach that transforms how organizations handle cybersecurity

by fostering a culture of shared responsibility. Sonya’s work centers on empowering organizations to move beyond traditional, centralized security models by engaging every stakeholder in managing cyber risks and making cybersecurity a collective effort.

With a deep conviction that cybersecurity is as much about people as it is about technology, Sonya helps organizations implement FCR to build security-engaged cultures. In these environments, every employee understands the risks and is equipped with the knowledge and authority to take action, ensuring a more resilient and proactive defense against threats.

Sonya’s innovative approach to cybersecurity is built on over two decades of experience in information technology, data analytics, and risk management, including significant leadership roles in both the private and public sectors. However, her recent focus on integrating human-centered strategies with technical solutions through FCR is what truly sets her apart as a leader in the field. Sonya is dedicated to reshaping the cybersecurity landscape by ensuring that organizations are not only protected but also empowered to adapt and thrive in the face of ever-evolving threats.