.svg)
.svg)
Ransomware attacks continue to threaten organizations worldwide, and new ransomware variants emerge in the cyber threat landscape on a daily basis. A new ransomware group called Rhysida began to gain notoriety with their attack campaign in the Middle East and Latin America. Rhysida ransomware gang is a group of financially motivated threat actors known for targeting the education, government, manufacturing, and tech industries. As always, Picus Labs swiftly added attack simulations for Rhysida ransomware variants as they were discovered.
In this blog, we explain the Tactics, Techniques, and Procedures (TTPs) used by Rhysida ransomware and how organizations can defend themselves against Rhysida ransomware attacks.
Watch Now!
We strongly suggest simulating Rhysida ransomware attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus The Complete Security Validation Platform.
Rhysida Ransomware Explained
Rhysida ransomware first appeared in May 2023 and infected nearly 50 organizations worldwide since then. The ransomware gang employs the Ransomware-as-a-Service (RaaS) business model and rents or sells their ransomware payloads to other threat actors. Rhysida also exfiltrates their victims' sensitive data for double extortion. The ransomware threat actors threaten to release the stolen data to the public if the victim refuses to pay the demanded ransom. Rhysida threat actors are financially motivated and known to target the government, healthcare, education, manufacturing, and technology sectors. The victimology shows that Rhysida victims are located in the Middle East, Latin America, and Europe.
For initial access, Rhysida threat actors use phishing attacks. After unsuspecting users interact with the phishing email, they deploy a Cobalt Strike beacon to their system to establish persistence and transfer additional malware from an adversary-controlled command and control (C2) server for lateral movement and data exfiltration attacks. Throughout the attack, Rhysida operators delete artifacts or log data to hinder incident response efforts. After a successful compromise, threat actors deploy the Rhysida ransomware payload and encrypt the victim's sensitive folders and files.
Rhysida ransomware follows recent ransomware trends and continues to improve its capabilities. Organizations are advised to analyze the evolving tactics of ransomware groups and validate their security posture against Rhysida ransomware's threat behaviors mapped to the MITRE ATT&CK framework.
Rhysida Ransomware Analysis and MITRE ATT&CK TTPs
Initial Access
T1078 Valid Accounts
Rhysida affiliates acquire compromised RDP and VPN accounts from Initial Access Brokers (IABs) to gain access to the victim's network.
T1566 Phishing
Rhysida ransomware operators send benign-looking emails with malicious links or attachments. When unsuspecting users open these malicious links or attachments, adversaries gain initial access to the victim's network.
Execution
T1059 Command and Scripting Interpreter
Rhysida ransomware uses PowerShell to execute commands, modify the registry, evade defenses, and deploy additional malware in the victim's environment. The command below is used by Rhysida ransomware to delete itself after the victim's files are encrypted.
|
cmd.exe /c start powershell.exe -WindowStyle Hidden -Command Sleep -Milliseconds 500; Remove-Item -Force -Path " " -ErrorAction SilentlyContinue; |
Persistence
T1053 Scheduled Task
Rhysida threat actors use scheduled tasks to establish persistence in the compromised hosts. A scheduled task named "Rhsd" points to ransomware payload, and it is executed in system startup.
|
schtasks /create /sc ONSTART /tn Rhsd /tr \"'{Malware File Path}\{Malware File Name}.exe' {accepted arguments}\" /ru system; schtasks /run /tn Rhsd /i |
Defense Evasion
T1070.004 Indicator Removal: File Deletion
After a successful compromise, Rhysida ransomware deletes itself and its artifacts to block incident response efforts.
|
schtasks /delete /tn Rhsd /f |
T1112 Modify Registry
Rhysida ransomware uses the following commands to modify Windows Registry keys to drop the ransom note. Due to the typo in the first two commands, the compromised host fails to execute them.
|
cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v Wallpaper /f |
Credential Access
T1003.003 OS Credential Dumping: NTDS
Rhysida operators use ntdsutil.exe to copy the NTDS.dit file in a temp folder. Using the extracted credentials, adversaries log in to other hosts in the victim's domain.
Lateral Movement
T1021.001 Remote Services: Remote Desktop Protocol
In addition to Initial Access, Snatch operators also use compromised valid accounts to move laterally in the victim's network via the Remote Desktop Protocol.
Command and Control
T1021.001 Remote Services
Rhysida threat actors use remote services such as Remote Desktop Protocol (RDP), Windows Remote Management (WinRm), and PsExec to move laterally in the compromised network.
Exfiltration
T1041 Exfiltration Over C2 Channel
Rhysida operators collect and send the victim's sensitive data to an adversary-controlled command and control (C2) server before encrypting them. The stolen data is used in double extortion to pressure victims into paying the demanded ransom.
Impact
T1486 Data Encrypted for Impact
Rhysida locker uses a hybrid encryption approach and uses both RSA and ChaCha20 algorithms in combination. After files are encrypted, they are appended with the .rhysida extension.
T1490 Inhibit System Recovery
Rhysida threat actors delete all volume shadow copies of the infected host to prevent victims from recovering their files.
|
cmd.exe vssadmin delete shadows /all /quiet |
How Picus Helps Simulate Rhysida Ransomware Attacks?
We also strongly suggest simulating Rhysida ransomware attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus The Complete Security Validation Platform. You can also test your defenses against hundreds of other ransomware variants, such as LockBit, REvil, and GandCrab, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for Rhysida ransomware:
|
Threat ID |
Threat Name |
Attack Module |
|
32097 |
Rhysida Ransomware Download Threat |
Network Infiltration |
|
98719 |
Rhysida Ransomware Email Threat |
Email Infiltration (Phishing) |
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Rhysida ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Rhysida ransomware:
|
Security Control |
Signature ID |
Signature Name |
|
Check Point NGFW |
0CF33402D |
Ransomware.Win32.Rhysida.TC.6d00DoGH |
|
Check Point NGFW |
0F317B03E |
Ransomware.Win32.Rhysida.TC.dfd3tSZk |
|
Check Point NGFW |
0C32374DD |
Ransomware.Win32.Rhysida.TC.1387iitY |
|
Check Point NGFW |
0B2DD14A6 |
Ransomware.Win32.Rhysida.TC.bbdfAFWA |
|
Check Point NGFW |
0F0D8A9BA |
Trojan-Ransom.Win32.Gen.ajos.TC.4e22Iwbz High |
|
Check Point NGFW |
0CB42C2B7 |
Trojan-Ransom.Win32.Gen.ajnh.TC.4f19 |
|
Cisco FirePower |
1.62229.1 |
MALWARE-OTHER Win.Ransomware.Rhysida variant download attempt |
|
Forcepoint NGFW |
|
File_Malware-Blocked |
|
Fortigate AV |
10137749 |
W32/Rhysida.B437!tr.ransom |
|
Fortigate AV |
10140570 |
W64/Filecoder.IN!tr.ransom |
|
McAfee |
0x4840c900 |
MALWARE: Malicious File Detected by GTI |
|
Palo Alto |
585407538 |
trojan/Win32.encoder.aag |
|
Palo Alto |
598333584 |
trojan/Win32.encoder.aao |
|
Snort |
1.62229.1 |
MALWARE-OTHER Win.Ransomware.Rhysida variant download attempt |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of Picus The Complete Security Validation Platform.
