Rhysida Ransomware Explained: Tactics, Techniques, and Procedures

The Red Report 2023

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

Ransomware attacks continue to threaten organizations worldwide, and new ransomware variants emerge in the cyber threat landscape on a daily basis. A new ransomware group called Rhysida began to gain notoriety with their attack campaign in the Middle East and Latin America. Rhysida ransomware gang is a group of financially motivated threat actors known for targeting the education, government, manufacturing, and tech industries. As always, Picus Labs swiftly added attack simulations for Rhysida ransomware variants as they were discovered.

In this blog, we explain the Tactics, Techniques, and Procedures (TTPs) used by Rhysida ransomware and how organizations can defend themselves against Rhysida ransomware attacks.

Watch Now!


We strongly suggest simulating Rhysida ransomware attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus The Complete Security Validation Platform.

Rhysida Ransomware Explained

Rhysida ransomware first appeared in May 2023 and infected nearly 50 organizations worldwide since then. The ransomware gang employs the Ransomware-as-a-Service (RaaS) business model and rents or sells their ransomware payloads to other threat actors. Rhysida also exfiltrates their victims' sensitive data for double extortion. The ransomware threat actors threaten to release the stolen data to the public if the victim refuses to pay the demanded ransom. Rhysida threat actors are financially motivated and known to target the government, healthcare, education, manufacturing, and technology sectors. The victimology shows that Rhysida victims are located in the Middle East, Latin America, and Europe.

For initial access, Rhysida threat actors use phishing attacks. After unsuspecting users interact with the phishing email, they deploy a Cobalt Strike beacon to their system to establish persistence and transfer additional malware from an adversary-controlled command and control (C2) server for lateral movement and data exfiltration attacks. Throughout the attack, Rhysida operators delete artifacts or log data to hinder incident response efforts. After a successful compromise, threat actors deploy the Rhysida ransomware payload and encrypt the victim's sensitive folders and files.

Rhysida ransomware follows recent ransomware trends and continues to improve its capabilities. Organizations are advised to analyze the evolving tactics of ransomware groups and validate their security posture against Rhysida ransomware's threat behaviors mapped to the MITRE ATT&CK framework. 

Rhysida Ransomware Analysis and MITRE ATT&CK TTPs

Initial Access

T1078 Valid Accounts

Rhysida affiliates acquire compromised RDP and VPN accounts from Initial Access Brokers (IABs) to gain access to the victim's network. 

T1566 Phishing

Rhysida ransomware operators send benign-looking emails with malicious links or attachments. When unsuspecting users open these malicious links or attachments, adversaries gain initial access to the victim's network.

Execution

T1059 Command and Scripting Interpreter

Rhysida ransomware uses PowerShell to execute commands, modify the registry, evade defenses, and deploy additional malware in the victim's environment. The command below is used by Rhysida ransomware to delete itself after the victim's files are encrypted.

cmd.exe /c start powershell.exe -WindowStyle Hidden -Command Sleep -Milliseconds 500; Remove-Item -Force -Path " " -ErrorAction SilentlyContinue;

Persistence

T1053 Scheduled Task

Rhysida threat actors use scheduled tasks to establish persistence in the compromised hosts. A scheduled task named "Rhsd" points to ransomware payload, and it is executed in system startup.

schtasks /create /sc ONSTART /tn Rhsd /tr \"'{Malware File Path}\{Malware File Name}.exe' {accepted arguments}\" /ru system; 


schtasks /run /tn Rhsd /i

Defense Evasion

T1070.004 Indicator Removal: File Deletion

After a successful compromise, Rhysida ransomware deletes itself and its artifacts to block incident response efforts. 

schtasks /delete /tn Rhsd /f

T1112 Modify Registry

Rhysida ransomware uses the following commands to modify Windows Registry keys to drop the ransom note. Due to the typo in the first two commands, the compromised host fails to execute them.

cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v Wallpaper /f
cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f
cmd.exe /c reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
cmd.exe /c reg add "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
cmd.exe /c reg add "HKCU\\Control Panel\\Desktop" /v Wallpaper /t REG_SZ /d "C:\\Users\\Public\\bg.jpg" /f
cmd.exe /c reg add "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" /v Wallpaper /t REG_SZ /d "C:\\Users\\Public\\bg.jpg" /f
cmd.exe /c reg add "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" /v WallpaperStyle /t REG_SZ /d 2 /f
cmd.exe /c reg add "HKCU\\Control Panel\\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
rundll32.exe user32.dll,UpdatePerUserSystemParameters

Credential Access

T1003.003 OS Credential Dumping: NTDS

Rhysida operators use ntdsutil.exe to copy the NTDS.dit file in a temp folder. Using the extracted credentials, adversaries log in to other hosts in the victim's domain.

Lateral Movement

T1021.001 Remote Services: Remote Desktop Protocol

In addition to Initial Access, Snatch operators also use compromised valid accounts to move laterally in the victim's network via the Remote Desktop Protocol.

Command and Control

T1021.001 Remote Services

Rhysida threat actors use remote services such as Remote Desktop Protocol (RDP), Windows Remote Management (WinRm), and PsExec to move laterally in the compromised network.

Exfiltration

T1041 Exfiltration Over C2 Channel

Rhysida operators collect and send the victim's sensitive data to an adversary-controlled command and control (C2) server before encrypting them. The stolen data is used in double extortion to pressure victims into paying the demanded ransom. 

Impact

T1486 Data Encrypted for Impact

Rhysida locker uses a hybrid encryption approach and uses both RSA and ChaCha20 algorithms in combination. After files are encrypted, they are appended with the .rhysida extension.

T1490 Inhibit System Recovery

Rhysida threat actors delete all volume shadow copies of the infected host to prevent victims from recovering their files. 

cmd.exe vssadmin delete shadows /all /quiet

How Picus Helps Simulate Rhysida Ransomware Attacks?

We also strongly suggest simulating Rhysida ransomware attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus The Complete Security Validation Platform. You can also test your defenses against hundreds of other ransomware variants, such as LockBit, REvil, and GandCrab, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Rhysida ransomware

Threat ID

Threat Name

Attack Module

32097

Rhysida Ransomware Download Threat

Network Infiltration

98719

Rhysida Ransomware Email Threat

Email Infiltration (Phishing)

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Rhysida ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Rhysida ransomware:

Security Control

Signature ID

Signature Name

Check Point NGFW

0CF33402D

Ransomware.Win32.Rhysida.TC.6d00DoGH

Check Point NGFW

0F317B03E

Ransomware.Win32.Rhysida.TC.dfd3tSZk

Check Point NGFW

0C32374DD

Ransomware.Win32.Rhysida.TC.1387iitY

Check Point NGFW

0B2DD14A6

Ransomware.Win32.Rhysida.TC.bbdfAFWA

Check Point NGFW

0F0D8A9BA

Trojan-Ransom.Win32.Gen.ajos.TC.4e22Iwbz

High

Check Point NGFW

0CB42C2B7

Trojan-Ransom.Win32.Gen.ajnh.TC.4f19

Cisco FirePower

1.62229.1

MALWARE-OTHER Win.Ransomware.Rhysida variant download attempt

Forcepoint NGFW

 

File_Malware-Blocked 

Fortigate AV

10137749

W32/Rhysida.B437!tr.ransom

Fortigate AV

10140570

W64/Filecoder.IN!tr.ransom

McAfee

0x4840c900 

MALWARE: Malicious File Detected by GTI

Palo Alto

585407538

trojan/Win32.encoder.aag

Palo Alto

598333584

trojan/Win32.encoder.aao

Snort

1.62229.1

MALWARE-OTHER Win.Ransomware.Rhysida variant download attempt

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof Picus The Complete Security Validation Platform.