The Rhysida Ransomware Group Claimed: The China Energy Engineering Corporation has been recently added to the Rhysida Ransomware Gang’s list of victims on its Tor leak site.
CEEC, a state-owned company in China operating in the energy and infrastructure sectors, stands as one of the nation’s major integrated energy companies with a significant industry presence. Engaged in a variety of energy projects, including coal, hydropower, nuclear, and renewable energy initiatives, CEEC also contributes to global energy projects.
The ransomware group claims to have acquired a substantial amount of ‘impressive data’ and is auctioning it for 50 BTC. The intention is to sell the stolen data to a single buyer, with public release scheduled over seven days following the announcement.
Recently, the FBI and CISA issued a joint Cybersecurity Advisory (CSA) as part of the ongoing #StopRansomware initiative. This advisory warns about Rhysida ransomware attacks and provides information on tactics, techniques, and procedures (TTPs), along with indicators of compromise (IOCs) associated with ransomware groups. The report encompasses IOCs and TTPs identified through investigations as recent as September 2023.
The Rhysida ransomware group, operational since May 2023, has already targeted at least 62 companies according to their Tor leak site. Victims span various industries, including education, healthcare, manufacturing, information technology, and government sectors, with the group focusing on “targets of opportunity.”
Recently, the group has also added British Library to its list of victims and shared the update on the Tor site.
The joint advisory also highlights similarities between Vice Society (DEV-0832) activity and the actors observed deploying Rhysida ransomware. Furthermore, there is confirmation of instances where Rhysida actors operate in a ransomware-as-a-service (RaaS) capacity, leasing out ransomware tools and infrastructure in a profit-sharing model.
Rhysida actors gain initial access to target networks and maintain persistence by leveraging external-facing remote services such as VPNs and RDPs. Compromised credentials are used for authentication to internal VPN access points, and the threat actors have exploited Zerologon (CVE-2020-1472) in Microsoft’s Netlogon Remote Protocol in phishing attempts. The group employs living off-the-land techniques, utilizing native network administration tools built into the operating system for malicious operations.