July 2024 was an active month for threat actors deploying ransomware. This period highlighted the diversity of the threat landscape, with significant activity from less common ransomware groups such as Rhysida, Apt Inc., and RansomHub. For additional information on RansomHub, check out our monthly Threat Actor Spotlight.
The top industries impacted by ransomware during July were Government and Professional Services. Additionally, the Healthcare, Financial, and Education industries also faced significant ransomware activity throughout the month.
Rhysida is a ransomware-as-a-service (RaaS) operation that emerged in 2023. In recent months, MOXFIVE has responded to several incidents involving threat actors deploying this ransomware. These actors typically gain initial access through phishing emails, exploiting unpatched vulnerabilities, and leveraging external-facing remote services, including the Zerologon vulnerability (CVE-2020-1472). We have also observed users downloading malicious Teams executables and installing them locally, which led to Rhysida infections. The Healthcare sector has been a primary target of these attacks, though other industries are also at risk and are commonly impacted.
Based on MOXFIVE’s experience in handling Rhysida-related incidents, two notable trends have emerged. First, ransom negotiations have occasionally been successful, with reductions of up to 50% from the initial demand. These outcomes were often achieved by emphasizing the size of the impacted business and the perceived value of the exfiltrated data. This is a considerable amount given the ransom demands have reached as high as $2 million. Second, in some cases, the threat actors have exfiltrated stolen data to Azure Blob Storage. This method of data transfer is challenging to detect due to its common use as a legitimate cloud storage solution. However, MOXFIVE has been able to identify the specific data exfiltrated through a configuration file left on the host, offering a valuable insight into the scope of the breach.
Phishing emails, VPN vulnerabilities, lack of MFA, software flaws, drive-by downloads, and social engineering remain the most frequently observed initial access points for ransomware attacks.
CVE-2024-37085 is a critical vulnerability in VMware ESXi hypervisors related to the "ESX Admins" group, which can be exploited to gain full administrative control over the hypervisor. This vulnerability allows attackers to create the group and add users to it, bypassing proper validation processes. Threat actors have been seen exploiting this vulnerability to deliver Akira and Black Basta. A detailed report published by Microsoft including mitigation and protection guidance can be found here.
To reduce the risk of ransomware or larger incidents, organizations should implement a multi-layered defense strategy. This includes proactive threat detection with EDR (Endpoint Detection and Response) and MDR (Managed Detection and Response) solutions to monitor and respond to suspicious activities, automated responses to rapidly contain and remediate threats, and the use of an Application Locker for application whitelisting and blacklisting to prevent the installation of malicious software. Additionally, URL filtering and blocking tools with reputational validation are essential for preventing access to malicious sites that could lead to ransomware impacts.
Rhysida is a ransomware group first observed in 2023, operating as a ransomware-as-a-service (RaaS). They have become highly active recently, with MOXFIVE responding to multiple incidents involving this ransomware, alongside numerous public reports of activity.
Apt Inc., previously identified as "SEXi Ransomware," is a ransomware group specializing in attacks on VMware ESXi servers. The group employs a leaked Babuk encryptor for targeting VMware ESXi servers and a leaked LockBit 3 encryptor for Windows systems.
RansomHub is a RaaS that emerged in early 2024, quickly becoming a prevalent threat. It offers a unique payment model, providing threat actors with a 90% commission on paid ransoms, making it an attractive option compared to other ransomware services.
