Rhysida Ransomware: History, TTPs and Adversary Emulation Plans
Written by Swapnil
Co-founder @ FourCore
Rhysida is a new player in the Ransomware space, first appearing in May 2023, and has been targeting industries all across the globe. In recent months, Rhysida has run campaigns compromising and extorting organizations from the government, education, healthcare, IT, and manufacturing sectors. Rhysida emerged in the Ransomware Space with a high-profile attack on the Chilean army. The group currently has more than 50 victims listed on its leak site.
Rhysida Ransomware History
Rhysida Ransomware is an independent group that was first observed on May 23. The group presents itself as a cybersecurity team favouring its victims by highlighting the security issues and the potential ramifications. The TTPs used by Rhysida have significant similarities with another ransomware group, Vice Society. Vice Society has been active since 2021 and follows an opportunistic attack methodology. The group exploits vulnerable web-facing applications or uses valid accounts to gain access to organisations. Vice Society’s last attacks were seen between July and October 2022.
During the emergence of Rhysida, many similarities in TTPs were noted between Rhysida and Vice Society groups—usage of the same folder name, Utilisation of SystemBC, malware for sale, and the exact name of the registry run key used for persistence—all point to the rebranding of Vice Society to Rhysida Group. Vice Society’s activities have significantly reduced after the emergence of Rhysida, and they have only published two victims on their leak site since. The two groups have also targeted similar industries, i.e. Healthcare and Education, revealing ties among Rhysida and Vice Society members.
Rhysida Ransomware Behavior
During Encryption, Rhysida uses a 4096-bit RSA key with the ChaCha20 algorithm. It uses an exclusion list to avoid encrypting certain files.
After encryption, Rhysida appends the .rhysida extension to the names of the encrypted files. It changes the wallpaper and drops a Ransom note as a PDF document.
Rhysida Ransomware TTPs
The Rhysida Ransomware operators compromise their victims opportunistically using recent exploits or utilising Valid Credentials bought on the dark web marketplace by Initial Access Brokers. During the encryption phase of their chain, they utilise either their own Rhysida payload or other ransomware payloads available in the RaaS ecosystem, such as QuantumLocker, BlackCat, and Zepplin, among others. There have been a few cases where the group did not encrypt the victim’s files but performed extortion using only exfiltrated stolen data.
Rhysida Operators perform initial access using multiple methods. They opportunistically target vulnerable web applications or acquire Valid RDP accounts or VPN Credentials by Initial Access Brokers. They have also been observed conducting successful Phishing attacks
T1078: Valid Accounts
Rhysida operators utilise valid account credentials or VPN credentials to gain access to organisations
T1190: Exploit Public Facing Applications
Rhysida operators opportunistically target vulnerable Web Facing applications and exploit them to gain access to organisations
Rhysida operators are known to conduct phishing attacks with malicious Excel payloads
After the initial access, Rhysida Operators have been seen utilising bat scripts, PS1 files and scheduled tasks to execute their payloads. The group deploys commodity tools and malware, such as CobaltStrike beacons and SystemBC, on the compromised systems.
T1059.001: Command and Scripting Interpreter: Powershell
Rhysida operators drop a variety of PowerShell scripts and execute commands using Powershell
T1059.003: Command and Scripting Interpreter: Windows Command Shell
Rhysida operators use batch scripting and execute commands using the Windows command prompt
Rhysidia operators escalate their privileges by utilising process injection to become NT Authority/System or become Domain Admin by utilising exploits such as ZeroLogon
T1055.002: Process Injection: Portable Executable Injection
Rhysida operators inject 64-bit PE ransomware into running processes to escalate its privileges.
T1068: Exploitation for Privilege Escalation
Rhysida operators exploit vulnerable machines in the environment, such as Windows Servers, to escalate their privileges to Domain Admin
During their infection chain, Rhysida Operators continuously remove any indicators of compromise. They regularly clear Windows Event logs, Delete files, and create Hidden Artifacts.
T1070.001: Indicator Removal: Clear Windows Event Logs
Rhysida operators use wevtutil.exe to clear system, application, and security event logs to avoid detection
T1070.004: Indicator Removal: File Deletion
Rhysida operators utilise PowerShell and scheduled tasks to delete any artifacts created on the system to prevent forensic scrutiny
T1564.003: Hide Artifacts: Hidden Window
Rhysida operators execute commands in hidden PowerShell windows
Once they have the right privileges, Rhysida Operators try to find credentials to spread across the organisation. They dump lsass memory, NTDS database and scour for credentials in the registry.
T1003.003: OS Credential Dumping: NTDS
Rhysida operators dump credentials using tools like secretsdump to extract credentials and dump NTDS database
T1003.001: OS Credential Dumping: LSASS Memory
Rhysida operators dump lsass.exe using a variety of methods, such as using procdump or even dumping the whole RAM to extract NTLM hashes
T1003.004: OS Credential Dumping: LSA Secrets
Rhysida operators try to extract LSA secrets by dumping SAM and SECURITY Key from the registry
During the course of the infection, Rhysidia operators discover details that may help accomplish further goals, such as lateral movement. They discover remote systems, current user permissions, and any trusts they can utilise to further their objectives.
T1016: System Network Configuration Discovery
Rhysida operators use the ipconfig command to enumerate system network configurations
T1018: Remote System Discovery
Rhysida operators use net group domain computers /domain to enumerate servers on the victim domain
T1033: System Owner/User Discovery
Rhysida operators utilise whoami and various net commands to identify logged in users and their associated privileges and groups
T1069.001: Permission Groups Discovery: Local Groups
Rhysida operators used the command net localgroup administrators to identify accounts with local administrator rights
T1069.002: Permission Groups Discovery: Domain Groups
Rhysida operators used the command net group “domain admins” /domain to identify domain administrators
T1087.002: Account Discovery: Domain Account
Rhysida operators used the command net user [username] /domain to identify account information
T1482: Domain Trust Discovery
Rhysida operators used the Windows utility nltest to enumerate domain trusts.
Rhysida Operators spread through the organisation by utilising RDP and SSH connections. They also utilise tools such as PsExec to execute commands and gain a foothold into other systems.
Rhysida operators utilise compromised user credentials with SSH using PuTTY for lateral movement.
Command and Control
Rhysida Operators leave Anydesk services running on compromised systems to obtain remote access and maintain persistence
T1219: Remote Access Software
Rhysida operators have been observed using the AnyDesk software to obtain remote access to victim systems and maintain persistence.
Rhysida Operators exfiltrate victim data using tools like DataGrabber1 and upload it to their cloud systems. The data is leaked or sold to the highest bidder if the victim doesn't pay the ransom.
T1567.002: Exfiltration to Cloud Storage
Rhysida operators exfiltrate victim user data using tools such as DataGrabber1 and upload it to their cloud VMs
Rhysida Operators are financially motivated and utilise double extortion attacks to force their victims to pay. Along with encrypting victim data, they also exfiltrate the data and threaten to publish sensitive information if the ransom is not paid
T1486: Data Encrypted for Impact
Rhysida operators encrypt victim data using a 4096-bit RSA encryption key that implements a ChaCha20 algorithm.
T1657: Financial Theft
Rhysida operators engage in “double extortion”, demanding a ransom payment to decrypt victim data and threatening to publish the sensitive exfiltrated data unless the ransom is paid
T1490: Inhibit System Recovery
Rhysida Operators delete shadow copies using wmic and vssadmin, kill services related to backup software and change the default RDP port to 4000.
Rhysida Ransomware Hunting & Detection
Rhysida Ransomware can be hunted for in your environment via the following rules.
The following YARA rule can be utilize for hunting Rhysidia ransomware binaries.
Most of the TTPs employed by Rhysida operators during the intrusion are typical for these ransomware intrusions, and no novel techniques were observed. This highlights the importance of understanding not just the operation of a ransomware payload but the entire process leading to its deployment. There are hallmarks of a less seasoned actor, such as the unobfuscated registry modification and PowerShell commands seen throughout the activity.
The actors leverage various tools, from the usage of remote management tools such as AnyDesk to the deployment of ransomware through PsExec, to facilitate such attacks. Closely monitoring those activities could help prevent the next ransomware attack.
Our Threat Research Team has developed adversary emulation plans for the Rhysida Ransomware utilizing analyst reports, TTPs and threat intelligence. These plans validate the effectiveness of your various security controls by emulating the TTPs and behaviours utilized by the Rhysida Ransomware group.