Investigating The New Rhysida Ransomware
Fortinet News, Wednesday, November 15,2023
The goal of the FortiGuard IR team is to provide organizations with valuable insights from threat analysis to bolster their security posture. We recently conducted a comprehensive analysis of an incident involving the Rhysida ransomware group, shedding light on their operations, tactics, and impact, including a novel technique involving ESXi-based ransomware.
The Rhysida group was first identified in May 2023, when they claimed their first victim. This group deploys a ransomware variant known as Rhysida and also offers it as Ransomware-as-a-service (RaaS). The group has listed around 50 victims so far in 2023.
The investigation conducted by the FortiGuard IR team and MDR team uncovered some of the techniques and tools used by Rhysida:
The initial detection was identified by the FortiGuard MDR team. The threat actor was observed accessing systems in a victim's network and attempting to create memory dumps and gather user data. FortiEDR detected these events, allowing the MDR team to analyze them further.