Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

Rhysida (Ransomware) – Malware

March 11, 2024
Reading Time: 4 mins read
in Malware, Ransomware
Rhysida (Ransomware) – Malware

Rhysida Ransomware

Additional Names

Unknown

Type of Malware

Ransomware

Country of Origin

Unknown

Date of initial activity

2023

Associated Groups

Rhysida 

Motivation

Financial Gain

Attack vectors

Rhysida ransomware is deployed in multiple ways. Primary methods include breaching targets’ networks
via phishing attacks, and by dropping payloads across compromised systems after first deploying Cobalt
Strike or similar command-and-control frameworks.

Targeted systems

Windows and Linux

Variants

SHA2: a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6, SHA2: 258ddd78655ac0587f64d7146e52549115b67465302c0cbd15a0cba746f05595

Overview

Rhysida is a new ransomware strain that emerged in the second quarter of 2023. The first mention of the Rhysida ransomware was in May 2023 by MalwareHunterTeam.

Targets

Threat actors leveraging Rhysida ransomware are known to impact “targets of opportunity,” including victims in the education, healthcare, manufacturing, information technology, and government sectors.

Tools/ Techniques Used

After compromising the victim’s network, Rhysidia likely deploys Cobalt Strike to move laterally across the network and function as its command and control center.

The Rhysida encryptor comes as a 32-bit or 64-bit Windows PE file, compiled by MinGW GNU version 6.3.0 and linked by the GNU linker v 2.30. The first public version comes as a debug version, which makes its analysis easier. For cryptographic operations, Rhysida uses the LibTomCrypt library version 1.18.1. For multi-threaded and synchronization operations, Rhysida uses the winpthreads library. Chacha20 pseudo-random number generator is used for generating random numbers, such as AES encryption key, AES initialization vector and random padding for RSA-OAEP encryption. The public RSA key is hard-coded in the binary (ASN1-encoded) and loaded using the rsa_import function. Each sample has different embedded RSA key. When executed, the encryptor queries the number of processors in the system. This value serves for:
  • Allocating random number generators (one per processor)
  • Creating Encryptor threads (one per processor)
Furthermore, Rhysida creates a File Enumerator thread, which searches all available disk drives by letter. Binaries prior July 2023 enumerate drives in normal order (from A: to Z:); binaries built after July 1st enumerate drives in reverse order (from Z: to A:). The File Enumerator thread searches for files to encrypt and puts them into a synchronized list, ready to be picked by one of the Encryptor threads. Files in system critical folders, and files necessary to run operating systems and programs, are excluded from encryption. Rhysida uses a file exclusion list to avoid encrypting certain files. This check occurs in the isFileExcluded function, which compares the current file extension against exclude_extensions, an array that contains the following excluded file extensions. This function initializes two variables, exclude_i as 0 and exclude_c as 11, which iterate through the array of 27 excluded file extensions and the length of the current file name. Rhysida ransomware avoids encrypting files that have the following file extensions:
  • .bat
  • .bin
  • .cab
  • .cmd
  • .com
  • .cur
  • .diagcab
  • .diagcfg
  • .diagpkg
  • .dll
  • .drv
  • .exe
  • .hlp
  • .hta
  • .ico
  • .ini
  • .ini
  • .iso
  • .lnk
  • .msi
  • .ocx
  • .ps1
  • .psm1
  • .scr
  • .sys
  • .Thumbs.db
  • .url
It also avoids encrypting files in the following folders:
  • ApzData
  • Boot
  • Documents and Settings
  • PerfLogs
  • Program Files
  • Program Files (x86)
  • ProgramData
  • Recovery
  • System Volume Information
  • Windows
  • $Recycle.Bin
Additionally, the ransom note file, usually named CriticalBreachDetected.pdf, is excluded from the list of encrypted files. The PDF content of the ransom note file is hard-coded in the binary and is dropped into each folder. The ransom note has Rhysida’s TOR site address, which victims are asked to visit to contact the attacker. In addition to dropping the ransom note, if enabled in the configuration, Rhysida generates a JPEG picture, which is stored into C:/Users/Public/bg.jpg. Earlier version of the ransomware generated the image with unwanted artifacts, which was fixed in later builds of Rhysida. Rhysida may or may not (depending on the configuration and binary version) execute additional actions, including:
  • Delete shadow copies using
  • Delete the event logs with this command
  • Delete itself via Powershell command
  • (Re-)create scheduled task on Windows startup
  • Remove scheduled task using

Rhysida Ransomware Decryptor Released

South Korean researchers have discovered a critical flaw in the Rhysida ransomware, which has been exploited to develop a decryption tool for affected Windows users. The flaw, attributed to a vulnerability in Rhysida’s random number generator, allows analysts to reverse-engineer the encryption process, offering a glimmer of hope for ransomware victims. With this breakthrough, victims can potentially retrieve their encrypted files without succumbing to ransom demands, marking a significant stride in the fight against ransomware attacks.  

References

  • #StopRansomware: Rhysida Ransomware
  • The Rhysida Ransomware: Activity Analysis and Ties to Vice Society
  • Ransomware Roundup – Rhysida
  • Rhysida Ransomware Technical Analysis
  • Rhysida Ransomware Decryptor Released
  • A Method for Decrypting Data Infected with Rhysida Ransomware
 
Tags: Cobalt StrikeCybersecurityMalwareRansomwareRhysida
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

CoGUI Targets Consumer and Finance Brands

COLDRIVER Hackers Target Sensitive Data

Cisco Fixes Flaw in IOS Wireless Controller

New OttoKit Flaw Targets WordPress Sites

Mirai Botnet Exploits Vulnerabilities in IoT

Critical Kibana Flaws Allows Code Execution

Subscribe to our newsletter

    Latest Incidents

    Masimo Cyberattack Disrupts Manufacturing

    Cyberattack Targets Tepotzotlán Facebook

    West Lothian Schools Hit by Ransomware

    UK Legal Aid Agency Faces Cyber Incident

    South African Airways Hit by Cyberattack

    Coweta County School System Cyberattack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial