Nov 15, 2024
Threat Profile: Rhysida Ransomware
[Update] November 16, 2023: See the subheading: “Collaborative Advisory by CISA, FBI, and MS-ISAC on Rhysida Ransomware.”
[Update] February 13, 2024: “A Free Decryption Tool Released”
The digital world is an ever-evolving landscape, and with it comes the evolution of cyber threats. One such emerging threat is the Rhysida Ransomware Group, a new player in the cybercrime arena that has been making waves since its first sighting in May 2023. This group, which positions itself as a “cybersecurity team,” has been targeting systems and highlighting potential security issues, all while threatening victims with public distribution of exfiltrated data. This blog post aims to shed light on the Rhysida Ransomware Group, their attack methods, tools, targets, and how organizations can protect themselves against such threats.
Who is Rhysida?
Rhysida is a Ransomware-as-a-Service (RaaS) group that emerged at the end of May 2023. Despite being a newcomer, the group has quickly established itself as a significant ransomware operation. Their first high-profile attack was against the Chilean Army, marking a trend of ransomware groups targeting Latin American government institutions.
On June 15, 2023, the group leaked files stolen from the Chilean Army, which turned the group’s claim as true.
The group positions themselves as a “cybersecurity team” who are doing their victims a favor by targeting their systems and highlighting the supposed potential ramifications of the involved security issues.
How does Rhysida Attack?
Rhysida is deployed in multiple ways. Primary methods include deployment via Cobalt Strike – a penetration testing tool often misused by threat actors for its advanced exploitation and post-exploitation capabilities – or phishing campaigns. This suggests that Rhysida’s targets could potentially span a wide range of sectors and industries, as these attack methods are not specific to any particular type of organization.
Rhysida ransom notes are written as PDF documents to affected folders on targeted drives. This could potentially provide some insight into the types of systems or networks that Rhysida targets, as the presence of these ransom notes could indicate that the targeted systems have the capability to handle PDF documents. This indicates that the group is not targeting command-line operating systems used on network devices or servers.
The group threatens victims with public distribution of the exfiltrated data, bringing them in line with modern-day multi-extortion groups. Rysida can be appended to the list of the groups that follow the double-extortion strategy.
Rhysida’s ransomware is a 64-bit Portable Executable (PE) Windows cryptographic ransomware application compiled using MINGW/GCC. A sample analyzed by researchers suggests the tool is in the early stages of development because of the application’s program name is set to Rhysida-0.1.
When Rhysida runs, we observed a process of getting output from the command line, which apparently scans the files, runs the “file_to_crypt” function, and if successful, changes the file extension to “.rhysida”:
![Fig. 3. Script outputs that appear on cmd[.]exe when Rhysida runs](https://socradar.io/wp-content/uploads/2023/08/rhysida-cmd-output.png.webp)
For the encryption phase, Rhysida uses a 4096-bit RSA key with the ChaCha20 algorithm.
Rhysida generates the ransom note as a PDF document, as mentioned above. The content of the document is embedded in the binary in clear text.
A quick look at Rhysida Ransomware’s TOR page
When the TOR page of the group is opened, their own logo Rhysida Centipede and the current auctions and total number of victims can be seen.
When we scroll down to the middle of the homepage, we see an area where the token in the ransom note can be entered for victims to communicate with Rhysida, also on the left side of the page shows new victims and data shares on the right side where they have started the data leak phase.
Once the token is entered, a contact form specially designed for victims appears:
The footer of the group’s TOR page has 3 sections:
- News: The section where they add news posts that appear under the group’s own name
- Contact Us Form: The section where Journalist, Recoveries and fans who want to get in touch can leave their contact details
- How you can buy BTC: The section where the Bitcoin’s dollar equivalent can be seen and various sites where Bitcoin can be purchased are shared
When we click on the Auctions button in the header section of the page, there are victim announcements where data leaks have not yet been initiated by the group.
When the Companies button in the header section of the page is clicked, there is a list of victims whose data leak process has started or completed, and URLs belonging to the each leaked data.
What are the targets of Rhysida?
Target Sectors:
When observing the group’s attacks, it can be inferred that it mostly targets the organizations operating in the Education and Manufacturing fields.
Target Countries:
Looking at the countries where the organizations affected by Rhysida Ransomware are located, it can be inferred that it is mostly active in North America, Europe and Australia.
When the country distributions are analyzed, we conclude that the United States, Italy, Spain and the United Kingdom are targeted more than other countries, respectively.
What are the latest activities of Rhysida Ransomware?
The group’s recent attacks show that the education sector has been targeted most recently.
One of the recent victim of Rhysida is the University of West Scotland:
A Free Decryption Tool Released
In a significant breakthrough, cybersecurity researchers have successfully identified a vulnerability within Rhysida ransomware, enabling the decryption of files encrypted by this malware without paying the ransom. This achievement was made possible through the collaborative efforts of experts from Kookmin University and the Korea Internet and Security Agency (KISA). A free decryption tool is now available, marking a pivotal moment in the fight against Rhysida ransomware.
A security expert, Fabian Wosar stated that the vulnerability in Rhysida ransomware was independently discovered by multiple entities who opted for discretion, aiming to prevent alerting the ransomware creators. However, Wosar also emphasized the limitations of the decryption solution, noting its applicability exclusively to the Windows version of Rhysida, thus highlighting the ongoing challenges in addressing the full spectrum of Rhysida’s impact.
Rhysida’s Relation with Vice Society
Recently, security researchers have alleged that there is a relationship between Rhysida and Vice Society. In terms of commonalities, both groups mainly target the education sector. 38.4% of Vice Society’s attacks targeted the education sector, compared to 30% of Rhysida’s.
Collaborative Advisory by CISA, FBI, and MS-ISAC on Rhysida Ransomware
CISA, FBI, and MS-ISAC have issued a collaborative advisory, #StopRansomware: Rhysida Ransomware, to share indicators of compromise, detection methods, and TTPs used by Rhysida ransomware with public. CISA emphasizes that Rhysida, as a RaaS group, has targeted organizations in various sectors, employing external-facing remote services and exploiting vulnerabilities like Zerologon (CVE-2020-1472) and phishing campaigns for initial access. They commonly authenticate to internal VPN access points using compromised credentials, taking advantage of organizations lacking default Multi-Factor Authentication (MFA).
Additionally, Rhysida utilizes Living Off the Land (LOTL) techniques, such as creating Remote Desktop Protocol (RDP) connections for lateral movement, establishing VPN access, and employing PowerShell, allowing them to blend in with normal Windows systems and network activities to evade detection.
The advisory further provides a list of tools, and commands utilized by the threat actor, details characteristics and methods employed for encryption and extortion. In addition to IoCs and TTPs, the advisory includes an extensive list of mitigation strategies.
Explore the joint cybersecurity advisory here.
Conclusion
Rhysida Ransomware Group has emerged as a significant threat in the cyber landscape. With its strong encryption techniques and double extortion tactics, Rhysida posed a serious risk to organizations worldwide in a short time. The group’s focus on military and government institutions, as evidenced by their attack on the Chilean Army, further underscores the potential severity of their activities.
By understanding the group’s tactics, techniques, and procedures (TTPs), organizations can take proactive measures to protect their systems and data. This includes patching known vulnerabilities, implementing robust security measures, and training staff to recognize and avoid phishing attempts.
Security Recommendations against Rhysida
Given the severity of Rhysida’s attacks, it’s crucial for organizations to take proactive measures to protect their systems and data. Here are some security recommendations to defend against Rhysida Ransomware:
Virtual Patching: Rhysida is known to exploit known vulnerabilities in software to gain access to systems. Virtual patching can help by providing an immediate layer of protection against known vulnerabilities that the ransomware might exploit. This is especially important when a vendor-supplied patch is not immediately available or cannot be applied right away due to testing requirements.
Phishing Awareness Training: Since Rhysida often uses phishing campaigns to deliver its ransomware, it’s important to provide regular phishing awareness training to all employees. This can help them recognize and avoid phishing attempts.
Use of Endpoint Security Solutions: Endpoint security tools can help fight against ransomware by continuously checking all points of entry in a network, spotting and stopping malicious software, reviewing all incoming data, and giving the option to separate or delete data from afar, which helps prevent the spread of ransomware throughout the network.
Immutable Backups: Utilizing the inherent stability of immutable backups, which are distinguished by their resistance to modification and deletion, organizations can construct a robust protective barrier against potential ransomware incursions. These backups guarantee that, despite the presence of such cyber risks, the restoration of data remains a feasible and efficient approach, thereby negating the necessity to comply with ransom requisitions
Network Segmentation: By segmenting your network, you can limit the spread of ransomware if one part of your network is compromised.
Use of Firewalls and Intrusion Detection Systems: Firewalls and intrusion detection systems can help detect and block suspicious activity, potentially stopping an attack before it can do significant damage.
Incident Response Plan: Having a well-defined incident response plan can help your organization respond quickly and effectively to a ransomware attack, minimizing downtime and damage.
Least Privilege Principle: Limit the access rights of users and applications as much as possible. This can help prevent ransomware from gaining the access it needs to encrypt files or spread throughout your network.
MITRE ATT&CK TTPs of Rhysida Ransomware
| Technique | ID |
| Reconnaissance | |
| Active Scanning | T1595 |
| Phishing for Information | T1598 |
| Resource Development | |
| Acquire Infrastructure | T1583 |
| Develop Capabilities | T1587 |
| Initial Access | |
| Phishing | T1566 |
| Abuse Elevation Control Mechanism: Bypass User Account Control | T1548.002 |
| Execution | |
| Command and Scripting Interpreter | T1059 |
| Shared Modules | T1129 |
| Persistence | |
| Registry Run Keys / Startup Folder | T1547.001 |
| Privilege Escalation | |
| Process Injection | T1055 |
| Thread Execution Hijacking | T1055.003 |
| Registry Run Keys / Startup Folder | T1547.001 |
| Defense Evasion | |
| Obfuscated Files or Information | T1027 |
| Indicator Removal from Tools | T1027.005 |
| Masquerading | T1036 |
| Process Injection | T1055 |
| Thread Execution Hijacking | T1055.003 |
| Virtualization/Sandbox Evasion | T1497 |
| Hide Artifacts | T1564 |
| NTFS File Attributes | T1564.004 |
| Reflective Code Loading | T1620 |
| Discovery | |
| Application Window Discovery | T1010 |
| Process Discovery | T1057 |
| System Information Discovery | T1082 |
| File and Directory Discovery | T1083 |
| Virtualization/Sandbox Evasion | T1497 |
| Security Software Discovery | T1518.001 |
| Collection | |
| Data from Local System | T1005 |
| Automated Collection | T1119 |
| Command and Control | |
| Application Layer Protocol | T1071 |
| Web Protocols | T1071.001 |
| Exfiltration | |
| Exfiltration Over C2 Channel | T1041 |
| Impact | |
| Data Encrypted for Impact | T1486 |
Appendix
IoCs of Rhysida Ransomware:
| IOC Type | IOC |
| URL | https://ipapi.com/json/ |
| Hash (SHA-256) | a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6 |
| Hash (SHA-256) | 6903b00a15eff9b494947896f222bd5b093a63aa1f340815823645fd57bd61de |
| Hash (SHA-1) | 7abc07e7f56fc27130f84d1c7935a0961bd58cb9 |
| Hash (SHA-256) | 3bc0340007f3a9831cb35766f2eb42de81d13aeb99b3a8c07dee0bb8b000cb96 |
| Hash (SHA-256) | 2a3942d213548573af8cb07c13547c0d52d1c3d72365276d6623b3951bd6d1b2 |
| Hash (MD-5) | 59a9ca795b59161f767b94fc2dece71a |
| Hash (SHA-256) | 250e81eeb4df4649ccb13e271ae3f80d44995b2f8ffca7a2c5e1c738546c2ab1 |
| Hash (SHA-256) | 2a3942d213548573af8cb07c13547c0d52d1c3d72365276d6623b3951bd6d1b2 |
For more IoCs, you can visit the Threat Actor/Malware page under the CTI module of SOCRadar XTI Platform.
Related Articles
Dark Web Profile: Cadet Blizzard
Dark Web Profile: CosmicBeetle (NoName) Ransomware
Nov 08, 2024
Dark Web Profile: KillSec
Nov 07, 2024
Dark Web Profile: Tropic Trooper (APT23)
Nov 01, 2024
Dark Web Profile: Evil Corp
Oct 17, 2024
Subscribe to our newsletter and stay updated on the latest insights!
