Verticals Targeted: Education, Government, Manufacturing, Technology, Healthcare, Various
Executive Summary
New Rhysida activity has prompted the release of a joint cybersecurity advisory providing additional details on the ransomware group’s TTPs and operations.
Key Takeaways
- New Rhysida activity has prompted the release of a joint cybersecurity advisory providing additional details on the ransomware group’s TTPs and operations.
- Rhysida appears to target opportunistically and has begun evolving tactics, using a double extortion tactic.
- Rhysida threat actors have also been observed leveraging Zerologon (CVE-2020-1472).
What is Rhysida?
Earlier this year, we reported on Rhysida ransomware targeting the healthcare vertical. Rhysida, active in the wild since at least May 2023, is ransomware as a service (RaaS). It utilizes a Windows 64-bit PE or COFF compiled with MinGW via the GNU Compiler Collection (GCC). Rhysida uses a 4096-bit RSA key and ChaCha20 for file encryption and appends the .rhysida extension to encrypted files.
Rhysida has previously targeted entities in the education, government, manufacturing, and technology verticals and was observed targeting the healthcare vertical in August. The activity resulted in an HHS Health Sector Cybersecurity Coordination Center security alert being issued at the time.
Opportunistic Targeting
Rhysida appears to target opportunistically and has begun evolving tactics, using a double extortion tactic. New Rhysida activity has prompted the release of a joint cybersecurity advisory with contributions from the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
For initial access and persistence, the Rhysida threat actors leverage external-facing remote services, such as VPNs. They appear to obtain access using compromised but valid credentials, taking advantage of connections that do not require multi-factor authentication (MFA) for login. Rhysida threat actors have been observed leveraging Zerologon (CVE-2020-1472), a vulnerability in Microsoft’s Netlogon Remote Protocol that results in a critical elevation of privileges. They are also known to engage in phishing.
The advisory states that Rhysida threat actors use living off-the-land techniques such as RDP for lateral movement, allowing them to establish VPN access and utilize PowerShell while evading detection. Rhysida threat actors have been observed using ipconfig, whoami, nltest, and net commands to gather domain information and enumerate victim environments.
Rhysida threat actors use a combination of both legitimate and malicious tools, including cmd.exe, PowerShell.exe, PsExec.exe, mstsc.exe, PuTTy.exe, PortStarter, secretsdump, ntdsutil.exe, AnyDesk, wevtutil.exe, and PowerView.
The advisory echoed open-source reporting, stating Rhysida ransomware group appears to share similarities with Vice Society, also known as DEV-0832.
IOCs
PolySwarm has multiple samples of Rhysida.
Edfae1a69522f87b12c6dac3225d930e4848832e3c551ee1e7d31736bf4525ef
201d8e77ccc2575d910d47042a986480b1da28cf0033e7ee726ad9d45ccf4daa
A48ac157609888471bf8578fb8b2aef6b0068f7e0742fccf2e0e288b0b2cfdfb
De73b73eeb156f877de61f4a6975d06759292ed69f31aaf06c9811f3311e03e7
951b1b5fd5cb13cde159cebc7c60465587e2061363d1d8847ab78b6c4fba7501
Fdadb6e15c52c41a31e3c22659dd490d5b616e017d1b1aa6070008ce09ed27ea
D689cb1dbd2e4c06cd15e51a6871c406c595790ddcdcd7dc8d0401c7183720ef
554f523914cdbaed8b17527170502199c185bd69a41c81102c50dbb0e5e5a78d
D3a816fe5d545a80e4639b34b90d92d1039eb71ef59e6e81b3c0e043a45b751c
8329bcbadc7f81539a4969ca13f0be5b8eb7652b912324a1926fc9bfb6ec005a
Be922312978a53c92a49fefd2c9f9cc098767b36f0e4d2e829d24725df65bc21
4243dc8b991f5f8b3c0f233ca2110a1e03a1d716c3f51e88faf1d59b8242d329
7ba47558c99e18c2c6449be804b5e765c48d3a70ceaa04c1e0fae67ff1d7178d
5ef168f83b55d2cbd2426afc5e6fa8161270fa6a2a312831332dc472c95dfa42
D3247f03dcd7b9335344ebba76a0b92370f32f1cb0e480c734da52db2bd8df60
5e55b4caf47a248a10abd009617684e969dbe5c448d087ee8178262aaab68636
Dcdb9bd39b6014434190a9949dedf633726fdb470e95cc47cdaa47c1964b969f
8d950068f46a04e77ad6637c680cccf5d703a1828fbd6bdca513268af4f2170f
6ed5d50cf9d07db73eaa92c5405f6b1bf670028c602c605dfa7d4fcb80ef0801
D1f718d219930e57794bdadf9dda61406294b0759038cef282f7544b44b92285
355b4a82313074999bd8fa1332b1ed00034e63bd2a0d0367e2622f35d75cf140
4226738489c2a67852d51dbf96574f33e44e509bc265b950d495da79bb457400
13fd3ad690c73cf0ad26c6716d4e9d1581b47c22fb7518b1d3bf9cfb8f9e9123
4bf8fbb7db583e1aacbf36c5f740d012c8321f221066cc68107031bd8b6bc1ee
95a922e178075fb771066db4ab1bd70c7016f794709d514ab1c7f11500f016cd
2813b6c07d17d25670163e0f66453b42d2f157bf2e42007806ebc6bb9d114acc
You can use the following CLI command to search for all Rhysida samples in our portal:
$ polyswarm link list -f Rhysida
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.