Rhysida Ransomware Attack on Hernando County

Background

Rhysida ransomware gang has attacked Hernando County. The country started to get back online on April 15 after country sites suffered downtime for weeks. An initial post on the county website said it had recently experienced an interruption of the county-wide IT network. Upon learning of this interruption, the Hernando County Clerk Information Technology Incident Response Team (IRT) was deployed and immediately began working with third-party computer specialists to investigate the nature and scope of the incident.

About Hernando County

Hernando County is a county located on the west central coast of the US state of Florida. As of the 2020 census, the population was 194,515. Its county seat is Brooksville, and its largest community is Spring Hill.

About Rhysida Ransomware

Rhysida is a RaaS that was first observed in May of 2023 and has become one of the more prevalent threats in the latter half of 2023. Rhysida engages in data exfiltration for double extortion and maintains both a leak site and a victim support portal on TOR. They are thought to be responsible for attacks against the Chilean military and, more recently, against Prospect Medical Holdings, which impacted services at hundreds of clinics and hospitals across the US.

In Q4-2023, the FBI and CISA released a joint advisory on Rhysida operations. Rhysida has been steadily increasing its attack volume and continuing to expand the targeted industries, but the volume is modest compared to that of its leaders. Rhysida deploys its ransomware through various methods, including Cobalt Strike or similar frameworks, as well as phishing campaigns.

Analysis of Rhysida ransomware samples suggests that the group is still in the early stages of development. The ransomware lacks certain standard features, such as VSS removal, which are standard in contemporary ransomware. However, the group follows the practices of modern multi-extortion groups by threatening to distribute the stolen data publicly.

Ransomware Operation

Upon execution, Rhysida displays a cmd.exe window and scans all files on local drives. Victims are instructed to contact the attackers using the TOR-based portal and their unique identifier provided in the ransom notes. The group only accepts payment in Bitcoin (BTC) and provides victims with instructions on purchasing and using BTC through the victim portal. Victims are also given an additional form on the payment portal to provide authentication and contact details to the attackers. The Rhysida ransom notes are written as PDF documents and placed in the affected folders on the targeted drives.