Today, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have jointly issued a warning about the Rhysida ransomware group.
This gang has been attacking various organizations in different sectors since May 2023. A detailed Cybersecurity Advisory (CSA) has been released as part of the #StopRansomware initiative, highlighting the group’s methods and the risks they pose.
Details of the Rhysida Ransomware Operations
The advisory details the tactics, techniques, and procedures (TTPs), along with indicators of compromise (IOCs), identified in investigations up to September 2023. Rhysida, known for targeting various industries like education, healthcare, and government, has already victimized at least 62 companies, explains Security Affairs.
Their approach is described as opportunistic, often leveraging ransomware-as-a-service (RaaS) models.
Threat actors leveraging Rhysida ransomware are known to impact “targets of opportunity,” including victims in the education, healthcare, manufacturing, information technology, and government sectors.
Open-source reporting details similarities between Vice Society (DEV-0832) activity and the actors observed deploying Rhysida ransomware.
Additionally, open-source reporting has confirmed observed instances of Rhysida actors operating in a ransomware-as-a-service (RaaS) capacity, where ransomware tools and infrastructure are leased out in a profit-sharing model. Any ransoms paid are then split between the group and the affiliates.
Joint Cybersecurity Advisory (CSA) (Source)
Technical Insights into the Rhysida Group’s Strategies
Rhysida ransomware attackers use external remote services, such as VPNs and RDPs, for initial access and persistence in target networks.
They exploit vulnerabilities like Zerologon (CVE-2020-1472) in Microsoft’s Netlogon Remote Protocol and use living-off-the-land techniques with built-in network administration tools for their malicious activities.
The following is a list of the tools that the group uses for its activities:
|
Name |
Description |
|---|---|
|
cmd.exe |
The native command line prompt utility. |
|
PowerShell.exe |
A native command line tool used to start a Windows PowerShell session in a Command Prompt window. |
|
PsExec.exe |
A tool included in the PsTools suite used to execute processes remotely. Rhysida actors heavily leveraged this tool for lateral movement and remote execution. |
|
mstsc.exe |
A native tool that establishes an RDP connection to a host. |
|
PuTTY.exe |
Rhysida actors have been observed creating Secure Shell (SSH) PuTTy connections for lateral movement. In one example, analysis of PowerShell console host history for a compromised user account revealed Rhysida actors leveraged PuTTy to remotely connect to systems via SSH [T1021.004]. |
|
PortStarter |
A back door script written in Go that provides functionality for modifying firewall settings and opening ports to pre-configured command and control (C2) servers.[1] |
|
secretsdump |
A script used to extract credentials and other confidential information from a system. Rhysida actors have been observed using this for NTDS dumping [T1003.003] in various instances. |
|
ntdsutil.exe |
A standard Windows tool used to interact with the NTDS database. Rhysida actors used this tool to extract and dump the Note: It is strongly recommended that organizations conduct domain-wide password resets and double Kerberos TGT password resets if any indication is found that the |
|
AnyDesk |
A common software that can be maliciously used by threat actors to obtain remote access and maintain persistence [T1219]. AnyDesk also supports remote file transfer. |
|
wevtutil.exe |
A standard Windows Event Utility tool used to view event logs. Rhysida actors used this tool to clear a significant number of Windows event logs, including system, application, and security logs [T1070.001]. |
|
PowerView |
A PowerShell tool used to gain situational awareness of Windows domains. Review of PowerShell event logs identified Rhysida actors using this tool to conduct additional reconnaissance-based commands and harvest credentials. |
Malicious Executables Affiliated with Rhysida Infections:
| File Name | Hash (SHA256) | Description |
|---|---|---|
| conhost.exe | 6633fa85bb234a75927b23417313e51a4c155e12f71da3959e168851a600b010 | A ransomware binary. |
| psexec.exe | 078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b | A file used to execute a process on a remote or local host. |
| S_0.bat | 1c4978cd5d750a2985da9b58db137fc74d28422f1e087fd77642faa7efe7b597 | A batch script likely used to place 1.ps1 on victim systems for ransomware staging purposes [T1059.003]. |
| 1.ps1 | 4e34b9442f825a16d7f6557193426ae7a18899ed46d3b896f6e4357367276183 | Identifies an extension block list of files to encrypt and not encrypt. |
| S_1.bat | 97766464d0f2f91b82b557ac656ab82e15cae7896b1d8c98632ca53c15cf06c4 | A batch script that copies conhost.exe (the encryption binary) on an imported list of host names within the C:\Windows\Temp directory of each system. |
| S_2.bat | 918784e25bd24192ce4e999538be96898558660659e3c624a5f27857784cd7e1 | Executes conhost.exe on compromised victim systems, which encrypts and appends the extension of .Rhysida across the environment. |
C2 IP Addresses Used for Rhysida Operations:
| C2 IP Address |
|---|
| 5.39.222[.]67 |
| 5.255.99[.]59 |
| 51.77.102[.]106 |
| 108.62.118[.]136 |
| 108.62.141[.]161 |
| 146.70.104[.]249 |
| 156.96.62[.]58 |
| 157.154.194[.]6 |
For email addresses, files, MITRE ATT&CK tactics and techniques and more consult the complete advisory here.
If you liked this piece, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.