Rhysida Ransomware | |
Additional Names | Unknown |
Type of Malware | Ransomware |
Country of Origin | Unknown |
Date of initial activity | 2023 |
Associated Groups | Rhysida |
Motivation | Financial Gain |
Attack vectors | Rhysida ransomware is deployed in multiple ways. Primary methods include breaching targets’ networks |
Targeted systems | Windows and Linux |
Variants | SHA2: a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6, SHA2: 258ddd78655ac0587f64d7146e52549115b67465302c0cbd15a0cba746f05595 |
Overview
Rhysida is a new ransomware strain that emerged in the second quarter of 2023. The first mention of the Rhysida ransomware was in May 2023 by MalwareHunterTeam.
Targets
Threat actors leveraging Rhysida ransomware are known to impact “targets of opportunity,” including victims in the education, healthcare, manufacturing, information technology, and government sectors.
Tools/ Techniques Used
After compromising the victim’s network, Rhysidia likely deploys Cobalt Strike to move laterally across the network and function as its command and control center.
The Rhysida encryptor comes as a 32-bit or 64-bit Windows PE file, compiled by MinGW GNU version 6.3.0 and linked by the GNU linker v 2.30. The first public version comes as a debug version, which makes its analysis easier.
For cryptographic operations, Rhysida uses the LibTomCrypt library version 1.18.1. For multi-threaded and synchronization operations, Rhysida uses the winpthreads library. Chacha20 pseudo-random number generator is used for generating random numbers, such as AES encryption key, AES initialization vector and random padding for RSA-OAEP encryption. The public RSA key is hard-coded in the binary (ASN1-encoded) and loaded using the rsa_import function. Each sample has different embedded RSA key.
When executed, the encryptor queries the number of processors in the system. This value serves for:
- Allocating random number generators (one per processor)
- Creating
Encryptorthreads (one per processor)
Furthermore, Rhysida creates a File Enumerator thread, which searches all available disk drives by letter. Binaries prior July 2023 enumerate drives in normal order (from A: to Z:); binaries built after July 1st enumerate drives in reverse order (from Z: to A:).
The File Enumerator thread searches for files to encrypt and puts them into a synchronized list, ready to be picked by one of the Encryptor threads. Files in system critical folders, and files necessary to run operating systems and programs, are excluded from encryption.
Rhysida uses a file exclusion list to avoid encrypting certain files. This check occurs in the isFileExcluded function, which compares the current file extension against exclude_extensions, an array that contains the following excluded file extensions. This function initializes two variables, exclude_i as 0 and exclude_c as 11, which iterate through the array of 27 excluded file extensions and the length of the current file name.
Rhysida ransomware avoids encrypting files that have the following file extensions:
- .bat
- .bin
- .cab
- .cmd
- .com
- .cur
- .diagcab
- .diagcfg
- .diagpkg
- .dll
- .drv
- .exe
- .hlp
- .hta
- .ico
- .ini
- .ini
- .iso
- .lnk
- .msi
- .ocx
- .ps1
- .psm1
- .scr
- .sys
- .Thumbs.db
- .url
It also avoids encrypting files in the following folders:
- ApzData
- Boot
- Documents and Settings
- PerfLogs
- Program Files
- Program Files (x86)
- ProgramData
- Recovery
- System Volume Information
- Windows
- $Recycle.Bin
Additionally, the ransom note file, usually named CriticalBreachDetected.pdf, is excluded from the list of encrypted files. The PDF content of the ransom note file is hard-coded in the binary and is dropped into each folder. The ransom note has Rhysida’s TOR site address, which victims are asked to visit to contact the attacker.
In addition to dropping the ransom note, if enabled in the configuration, Rhysida generates a JPEG picture, which is stored into C:/Users/Public/bg.jpg. Earlier version of the ransomware generated the image with unwanted artifacts, which was fixed in later builds of Rhysida.
Rhysida may or may not (depending on the configuration and binary version) execute additional actions, including:
- Delete shadow copies using
- Delete the event logs with this command
- Delete itself via Powershell command
- (Re-)create scheduled task on Windows startup
- Remove scheduled task using
Rhysida Ransomware Decryptor Released
South Korean researchers have discovered a critical flaw in the Rhysida ransomware, which has been exploited to develop a decryption tool for affected Windows users. The flaw, attributed to a vulnerability in Rhysida’s random number generator, allows analysts to reverse-engineer the encryption process, offering a glimmer of hope for ransomware victims. With this breakthrough, victims can potentially retrieve their encrypted files without succumbing to ransom demands, marking a significant stride in the fight against ransomware attacks.
References
- #StopRansomware: Rhysida Ransomware
- The Rhysida Ransomware: Activity Analysis and Ties to Vice Society
- Ransomware Roundup – Rhysida
- Rhysida Ransomware Technical Analysis
- Rhysida Ransomware Decryptor Released
- A Method for Decrypting Data Infected with Rhysida Ransomware
