Rhysida – Ransomware Group

Overview

Rhysida Ransomware is a new ransomware-as-a-service (RaaS) group that was first observed on May 23. The group presents itself as a cybersecurity team favouring its victims by highlighting the security issues and the potential ramifications.

During the emergence of Rhysida, many similarities in TTPs were noted between Rhysida and Vice Society groups—usage of the same folder name, Utilisation of SystemBC, malware for sale, and the exact name of the registry run key used for persistence—all point to the rebranding of Vice Society to Rhysida Group. Vice Society’s activities have significantly reduced after the emergence of Rhysida, and they have only published two victims on their leak site since. The two groups have also targeted similar industries, i.e. Healthcare and Education, revealing ties among Rhysida and Vice Society members.

The group drops an eponymous ransomware via phishing attacks and Cobalt Strike to breach targets’ networks and deploy their payloads. The group threatens to publicly distribute the exfiltrated data if the ransom is not paid. Rhysida is still in early stages of development, as indicated by the lack of advanced features and the program name Rhysida-0.1. The ransomware also leaves PDF notes on the affected folders, instructing the victims to contact the group via their portal and pay in Bitcoin.

The Rhysida group operates a data leak site on TOR for ransom negotiations and exposing data stolen from the victims.

Common targets

Rhysida Ransomware targets industries all across the globe. In recent months, Rhysida has run campaigns compromising and extorting organizations from the government, education, healthcare, IT, and manufacturing sectors.

Attack Vectors

Rhysida threat actors rely on phishing attacks as an infection vector. The attackers also reportedly use Cobalt Strike for lateral movement within the victim’s network and to deliver payloads. Cobalt Strike is advertised as an adversary emulation tool for information security professionals to evaluate network and system defenses.

How they operate

The threat actors abuse legitimate software such as PowerShell to gain information about users and systems within the network, PSExec to schedule tasks and make changes to registry keys to maintain persistence, AnyDesk for remote connections, and WinSCP for file transfers. The threat actors also attempt to exfiltrate data from various systems using MegaSync.

During Encryption, Rhysida uses a 4096-bit RSA key with the ChaCha20 algorithm. It uses an exclusion list to avoid encrypting certain files. After encryption, Rhysida appends the .rhysida extension to the names of the encrypted files. It changes the wallpaper and drops a Ransom note as a PDF document. The group then threatens victims in a ransom note with public distribution of the exfiltrated data, bringing them in line with modern-day double-extortion groups. Rhysida ransom notes are written as PDF documents to affected folders on targeted drives, with the content of the document embedded in the binary in clear text.

This potentially provides some insight into the types of systems or networks that the threat group targets, as the presence of these ransom notes could indicate that the targeted systems have the capability to handle PDF documents. This also indicates that the group is not targeting command-line operating systems used on network devices or servers.

Victims are instructed to contact the attackers via their TOR-based portal, utilizing their unique identifier providers in the ransom note. Rhysida accepts payment in Bitcoin only, providing information on the purchase and use of Bitcoin on the victim portal as well. Upon providing their unique ID to the payment portal, another form is presented that allows victims to provide additional information to the attackers, such as authentication and contact details.

Tactics, Techniques and Procedures

Lateral Movement

The attackers used a variety of tools to perform lateral movement, including:

• Remote Desktop Protocol – Throughout the intrusion, the threat actor initiated RDP connections, and took additional steps to deliberately remove associated logs and registry entries to harden detection and analysis efforts (as described in the Defense Evasion section). RDP remains an effective approach to performing lateral movement within the environment.
• Remote PowerShell Sessions (WinRM) – While connected remotely via RDP, the threat actor was observed initiating remote PowerShell connections to servers within the environment. This happened in the days before the ransomware payload was deployed.
• PsExec – The ransomware payload itself was deployed using PsExec from a server within the environment. The deployment happened in two phases.
  • Copying the malicious payload using the command PsExec.exe -d
\\VICTIM_MACHINE -u "DOMAIN\ADMIN" -p "Password" -s cmd /c COPY
"\\path_to_ransomware\payload.exe" "C:\windows\temp".
  • Executing the malicious payload using the command PsExec.exe -d \\VICTIM_MACHINE -u "DOMAIN\ADMIN"" -p "Password" -s cmd /c c:\windows\temp\payload.exe.

Credential Access

Most notably, the threat actor used ntdsutil.exe to create a backup of NTDS.dit in a folder name temp_l0gs. This path was utilized by the actor multiple times. In addition to those, the threat actor has enumerated Domain Administrator accounts and attempted to log in using some of them.

Command and Control

The threat actors have utilized several backdoors and tools for persistence, including:

• SystemBC – In a successful PowerShell session, the attacker executed a SystemBC PowerShell implant (very similar to the implant described here) which maintains persistence by installing a registry run key named socks to execute the script on startup. The implant reaches out to 5.255.103[.]7. Additionally, the threat actor set up a firewall rule named Windows Update to allow outbound traffic to another server, 5.226.141[.]196.
• AnyDesk – The threat actor was observed using the remote management tool AnyDesk.

Defense Evasion

Throughout the activity, the threat actors consistently deleted logs and forensic artifacts following their activity. This includes:

• Deleting the history of recently used files and folders.
• Deleting a list of recently executed programs.
• Deleting the history of recently typed paths in File Explorer.
• Deleting PowerShell console history file.
• Deleting all files and folders within the current user’s temporary folder.

Following RDP sessions, the threat actor also deleted RDP-specific logs by:

• Searching for all subkeys under “HKCU:\Software\Microsoft\Terminal Server Client” in the Windows Registry, and for each subkey, removing the “UsernameHint” value if it exists.
• Deleting Default.rdp from the users’ Documents folder.

Impact

On the day of ransomware deployment, the threat actor utilized the access provided by AnyDesk to widely deploy the ransomware payload in the environment using PsExec:

• Account Access Removal – The threat actor initiated a password change for tens of thousands of accounts in the domain to harden remediation efforts.
• Inhibit System Recovery – Before deploying the ransomware payload, the threat actor attempted to deploy a PowerShell script with a wide variety of capabilities, including:
  • Changing all local passwords to a predefined password.
  • Killing services related to database systems, backup software, and security products.
  • Disabling Windows Defender and creating exclusions for it.
  • Deleting shadow copies with both wmic.exe and vssadmin.exe.
  • Changing the default RDP port to 4000 and creating a firewall rule for it.
  • Deleting all Windows event logs and PowerShell history.
• Data Encryption – The threat actor ended up deploying the Rhysida ransomware payload using PsExec, as described above.

MITRE ATT&CK Techniques

Reconnaissance

• Active Scanning (T1595)
• Phishing for Information (T1598)
  

Resource Development

• Acquire Infrastructure (T1583)
• Develop Capabilities (T1587)
  

Initial Access

• Phishing (T1566)
• Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)
  

Execution

• Command and Scripting Interpreter (T1059)
• Shared Modules (T1129)
  

Persistence

• Registry Run Keys / Startup Folder (T1547.001)
  

Privileged Escalation

• Process Injection (T1055)
• Thread Execution Hijacking (T1055.003)
• Registry Run Keys / Startup Folder (T1547.001)
  

Defense Evasion

• Obfuscated Files or Information (T1027)
• Indicator Removal from Tools (T1027.005)
• Masquerading (T1036)
• Process Injection (T1055)
• Thread Execution Hijacking (T1055.003)
• Virtualization/Sandbox Evasion (T1497)
• Hide Artifacts (T1564)
• NTFS File Attributes (T1564.004)
• Reflective Code Loading (T1620)
  

Discovery

• Application Window Discovery (T1010)
• Process Discovery (T1057)
• System Information Discovery (T1082)
• File and Directory Discovery (T1083)
• Virtualization/Sandbox Evasion (T1497)
  
• Security Software Discovery (T1518.001)
  

Collection

• Data from Local System (T1005)
• Automated Collection (T1119)
  

Command and Control

• Application Layer Protocol (T1071)
• Web Protocols (T1071.001)
  

Exfiltration

• Exfiltration Over C2 Channel (T1041)
  

Impact

• Data Encrypted for Impact (T1486)

Significant Attacks

• In June 2023, Rhysida drew attention for the first time after leaking documents stolen from the Chilean Army (Ejército de Chile) on its data leak site.
• An incident involving Prospect Medical Holdings, a California-based healthcare system, that occurred in early August 2023.
• Rhysida claimed responsibility for an attack on the British Library on November 2023.
• Slovenian power generation company Holding Slovenske Elektrarne (HSE) has been hit by ransomware and has had some of its data encrypted.
• On December 12th 2023 Rhysida claimed to have penetrated and encrypted Insomniac Games from Burbank, California.

References:

• Rhysida Ransomware
• Rhysida Ransomware: History, TTPs and Adversary Emulation Plans
• The Rhysida Ransomware: Activity Analysis and Ties to Vice Society
• Ransomware Roundup – Rhysida
• Rhysida Ransomware | RaaS Crawls Out of Crimeware Undergrowth to Attack Chilean Army
• An Overview of the New Rhysida Ransomware Targeting the Healthcare Sector
• Slovenian power company hit by ransomware
• Rhysida, the new ransomware gang behind British Library cyber-attack
• A painful sting for Insomniac Games