Rhysida Ransomware Gang Attacks ORT Harmelin College of Engineering

The Rhysida ransomware gang has attacked the ORT Harmelin College of Engineering. ORT Hermelin College of Engineering is an academic institution located in Netanya, Israel. ORT is a global network of educational and vocational training organizations, and ORT Hermelin College of Engineering is one of its institutions. Rhysida posted the ORT Harmelin College of Engineering to its data leak site on September 25th, demanding a $26,000 ransom for the safe return of stolen data.

Rhysida's Modus Operandi

Rhysida is a RaaS that was first observed on May 17, 2023. Rhysida has been observed deploying Cobalt Strike or similar command-and-control frameworks and abusing PSExec for lateral movement, dropping PowerShell scripts, and for payload delivery. They engage in data exfiltration for double extortion and maintain both a leaks site and a victim support portal on TOR. They are thought to be responsible for attacks against the Chilean military and more recently against Prospect Medical Holdings which impacted services at hundreds of clinics and hospitals across the US.

Rhysida has been steadily increasing their attack volume and continuing to expand the targeted industries, but volume is modest compared to leaders. Rhysida appears to be opportunistic attackers with a similar victimology as Vice Society.

Ransom Demands and Tactics

IT remains unclear how much Rhysida operators typically demand for a ransom payment at this time. Rhysida appears to have a fairly advanced RaaS offering, with capabilities that include advanced evasion techniques that can bypass antivirus protection, the wiping of Volume Shadow Copies (VSS) to prevent rollback of the encryption, and the ability to modify Remote Desktop Protocol (RDP) configuration. Rhysida employs 4096-bit RSA key and AES-CTR for file encryption.

Rhysida does not appear to be targeting Linux systems, maintaining a focus on Windows targets. TTPs are similar to those of Vice Society, which has been less active as Rhysida has emerged. Rhysida has been observed targeting the healthcare, education, government, manufacturing, and tech industries.

False Claims of Penetration Testing

Rhysida operators purport to be a “cybersecurity team” conducting unauthorized “penetration testing” to ostensibly “help” victim organizations identify potential security issues and secure their networks. The subsequent ransom demand is viewed as “payment” for their services.