Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Threat Actors

Rhysida – Ransomware Group

March 11, 2024
Reading Time: 40 mins read
in Ransomware Group, Threat Actors
Rhysida – Ransomware Group

Rhysida Ransomware Group

Other Names

Unknown

Location

Unknown

Date of initial activity

2023

Suspected attribution

Unknown

Associated Groups

Vice Society

Motivation

Steal information from victims for a financial gain

Associated tools

Rhysida ransomware, Cobalt Strike, cmd.exe, PowerShell.exe, PsExec.exe, mstsc.exe, PuTTY.exe, PortStarter, secretsdump, ntdsutil.exe, AnyDesk, wevtutil.exe, PowerView.

Active

Yes

Overview

Rhysida Ransomware is a new ransomware-as-a-service (RaaS) group that was first observed on May 23. The group presents itself as a cybersecurity team favouring its victims by highlighting the security issues and the potential ramifications.

During the emergence of Rhysida, many similarities in TTPs were noted between Rhysida and Vice Society groups—usage of the same folder name, Utilisation of SystemBC, malware for sale, and the exact name of the registry run key used for persistence—all point to the rebranding of Vice Society to Rhysida Group. Vice Society’s activities have significantly reduced after the emergence of Rhysida, and they have only published two victims on their leak site since. The two groups have also targeted similar industries, i.e. Healthcare and Education, revealing ties among Rhysida and Vice Society members.

The group drops an eponymous ransomware via phishing attacks and Cobalt Strike to breach targets’ networks and deploy their payloads. The group threatens to publicly distribute the exfiltrated data if the ransom is not paid. Rhysida is still in early stages of development, as indicated by the lack of advanced features and the program name Rhysida-0.1. The ransomware also leaves PDF notes on the affected folders, instructing the victims to contact the group via their portal and pay in Bitcoin.

The Rhysida group operates a data leak site on TOR for ransom negotiations and exposing data stolen from the victims.

Common targets

Rhysida Ransomware targets industries all across the globe. In recent months, Rhysida has run campaigns compromising and extorting organizations from the government, education, healthcare, IT, and manufacturing sectors.

Attack Vectors

Rhysida threat actors rely on phishing attacks as an infection vector. The attackers also reportedly use Cobalt Strike for lateral movement within the victim’s network and to deliver payloads. Cobalt Strike is advertised as an adversary emulation tool for information security professionals to evaluate network and system defenses.

How they operate

The threat actors abuse legitimate software such as PowerShell to gain information about users and systems within the network, PSExec to schedule tasks and make changes to registry keys to maintain persistence, AnyDesk for remote connections, and WinSCP for file transfers. The threat actors also attempt to exfiltrate data from various systems using MegaSync. During Encryption, Rhysida uses a 4096-bit RSA key with the ChaCha20 algorithm. It uses an exclusion list to avoid encrypting certain files. After encryption, Rhysida appends the .rhysida extension to the names of the encrypted files. It changes the wallpaper and drops a Ransom note as a PDF document. The group then threatens victims in a ransom note with public distribution of the exfiltrated data, bringing them in line with modern-day double-extortion groups. Rhysida ransom notes are written as PDF documents to affected folders on targeted drives, with the content of the document embedded in the binary in clear text. This potentially provides some insight into the types of systems or networks that the threat group targets, as the presence of these ransom notes could indicate that the targeted systems have the capability to handle PDF documents. This also indicates that the group is not targeting command-line operating systems used on network devices or servers. Victims are instructed to contact the attackers via their TOR-based portal, utilizing their unique identifier providers in the ransom note. Rhysida accepts payment in Bitcoin only, providing information on the purchase and use of Bitcoin on the victim portal as well. Upon providing their unique ID to the payment portal, another form is presented that allows victims to provide additional information to the attackers, such as authentication and contact details.

Tactics, Techniques and Procedures

Lateral Movement
The attackers used a variety of tools to perform lateral movement, including:
  • Remote Desktop Protocol – Throughout the intrusion, the threat actor initiated RDP connections, and took additional steps to deliberately remove associated logs and registry entries to harden detection and analysis efforts (as described in the Defense Evasion section). RDP remains an effective approach to performing lateral movement within the environment.
  • Remote PowerShell Sessions (WinRM) – While connected remotely via RDP, the threat actor was observed initiating remote PowerShell connections to servers within the environment. This happened in the days before the ransomware payload was deployed.
  • PsExec – The ransomware payload itself was deployed using PsExec from a server within the environment. The deployment happened in two phases.
    • Copying the malicious payload using the command PsExec.exe -d \\VICTIM_MACHINE -u "DOMAIN\ADMIN" -p "Password" -s cmd /c COPY "\\path_to_ransomware\payload.exe" "C:\windows\temp".
    • Executing the malicious payload using the command PsExec.exe -d \\VICTIM_MACHINE -u "DOMAIN\ADMIN"" -p "Password" -s cmd /c c:\windows\temp\payload.exe.
Credential Access
Most notably, the threat actor used ntdsutil.exe to create a backup of NTDS.dit in a folder name temp_l0gs. This path was utilized by the actor multiple times. In addition to those, the threat actor has enumerated Domain Administrator accounts and attempted to log in using some of them.
Command and Control
The threat actors have utilized several backdoors and tools for persistence, including:
  • SystemBC – In a successful PowerShell session, the attacker executed a SystemBC PowerShell implant (very similar to the implant described here) which maintains persistence by installing a registry run key named socks to execute the script on startup. The implant reaches out to 5.255.103[.]7. Additionally, the threat actor set up a firewall rule named Windows Update to allow outbound traffic to another server, 5.226.141[.]196.
  • AnyDesk – The threat actor was observed using the remote management tool AnyDesk.
Defense Evasion
Throughout the activity, the threat actors consistently deleted logs and forensic artifacts following their activity. This includes:
  • Deleting the history of recently used files and folders.
  • Deleting a list of recently executed programs.
  • Deleting the history of recently typed paths in File Explorer.
  • Deleting PowerShell console history file.
  • Deleting all files and folders within the current user’s temporary folder.
Following RDP sessions, the threat actor also deleted RDP-specific logs by:
  • Searching for all subkeys under “HKCU:\Software\Microsoft\Terminal Server Client” in the Windows Registry, and for each subkey, removing the “UsernameHint” value if it exists.
  • Deleting Default.rdp from the users’ Documents folder.
Impact
On the day of ransomware deployment, the threat actor utilized the access provided by AnyDesk to widely deploy the ransomware payload in the environment using PsExec:
  • Account Access Removal – The threat actor initiated a password change for tens of thousands of accounts in the domain to harden remediation efforts.
  • Inhibit System Recovery – Before deploying the ransomware payload, the threat actor attempted to deploy a PowerShell script with a wide variety of capabilities, including:
    • Changing all local passwords to a predefined password.
    • Killing services related to database systems, backup software, and security products.
    • Disabling Windows Defender and creating exclusions for it.
    • Deleting shadow copies with both wmic.exe and vssadmin.exe.
    • Changing the default RDP port to 4000 and creating a firewall rule for it.
    • Deleting all Windows event logs and PowerShell history.
  • Data Encryption – The threat actor ended up deploying the Rhysida ransomware payload using PsExec, as described above.

MITRE ATT&CK Techniques

Reconnaissance
  • Active Scanning (T1595)
  • Phishing for Information (T1598)
Resource Development
  • Acquire Infrastructure (T1583)
  • Develop Capabilities (T1587)
Initial Access
  • Phishing (T1566)
  • Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)
Execution
  • Command and Scripting Interpreter (T1059)
  • Shared Modules (T1129)
Persistence
  • Registry Run Keys / Startup Folder (T1547.001)
Privileged Escalation
  • Process Injection (T1055)
  • Thread Execution Hijacking (T1055.003)
  • Registry Run Keys / Startup Folder (T1547.001)
Defense Evasion
  • Obfuscated Files or Information (T1027)
  • Indicator Removal from Tools (T1027.005)
  • Masquerading (T1036)
  • Process Injection (T1055)
  • Thread Execution Hijacking (T1055.003)
  • Virtualization/Sandbox Evasion (T1497)
  • Hide Artifacts (T1564)
  • NTFS File Attributes (T1564.004)
  • Reflective Code Loading (T1620)
Discovery
  • Application Window Discovery (T1010)
  • Process Discovery (T1057)
  • System Information Discovery (T1082)
  • File and Directory Discovery (T1083)
  • Virtualization/Sandbox Evasion (T1497)
  • Security Software Discovery (T1518.001)
Collection
  • Data from Local System (T1005)
  • Automated Collection (T1119)
Command and Control
  • Application Layer Protocol (T1071)
  • Web Protocols (T1071.001)
Exfiltration
  • Exfiltration Over C2 Channel (T1041)
Impact
  • Data Encrypted for Impact (T1486)

Significant Attacks

  • In June 2023, Rhysida drew attention for the first time after leaking documents stolen from the Chilean Army (Ejército de Chile) on its data leak site.
  • An incident involving Prospect Medical Holdings, a California-based healthcare system, that occurred in early August 2023.
  • Rhysida claimed responsibility for an attack on the British Library on November 2023.
  • Slovenian power generation company Holding Slovenske Elektrarne (HSE) has been hit by ransomware and has had some of its data encrypted.
  • On December 12th 2023 Rhysida claimed to have penetrated and encrypted Insomniac Games from Burbank, California.
 
References:
  • Rhysida Ransomware
  • Rhysida Ransomware: History, TTPs and Adversary Emulation Plans
  • The Rhysida Ransomware: Activity Analysis and Ties to Vice Society
  • Ransomware Roundup – Rhysida
  • Rhysida Ransomware | RaaS Crawls Out of Crimeware Undergrowth to Attack Chilean Army
  • An Overview of the New Rhysida Ransomware Targeting the Healthcare Sector
  • Slovenian power company hit by ransomware
  • Rhysida, the new ransomware gang behind British Library cyber-attack
  • A painful sting for Insomniac Games
Tags: AttackersCobaltStrikePhishing attacksRansomware GroupRansomware-as-a-ServiceRhysidaThreat Actors
ADVERTISEMENT

Related Posts

Storm-1811 (Cybercriminal) – Threat Actor

Storm-1811 (Cybercriminal) – Threat Actor

March 2, 2025
CopyCop (State-Sponsored) – Threat Actor

CopyCop (State-Sponsored) – Threat Actor

March 2, 2025
Storm-0539 – Threat Actor

Storm-0539 – Threat Actor

March 2, 2025
Void Manticore (Storm-0842) – Threat Actor

Void Manticore (Storm-0842) – Threat Actor

March 2, 2025
Unfading Sea Haze – Threat Actor

Unfading Sea Haze – Threat Actor

March 2, 2025
Ikaruz Red Team – Threat Actor

Ikaruz Red Team – Threat Actor

March 2, 2025

Latest Alerts

New ZeroCrumb Malware Steals Browser Cookies

TikTok Videos Spread Vidar StealC Malware

CISA Commvault ZeroDay Flaw Risks Secrets

GitLab Patch Stops Service Disruption Risks

3AM Ransomware Email Bomb and Vishing Threat

Function Confusion Hits Serverless Clouds

Subscribe to our newsletter

    Latest Incidents

    Cetus Crypto Exchange Hacked For $223M

    MCP Data Breach Hits 235K NC Lab Patients

    UFCW Data Breach Risks Social Security Data

    Cyberattack Paralyzes French Hauts de Seine

    Santa Fe City Loses $324K In Hacker Scam

    Belgium Housing Hit by Ransomware Attack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial