Table of Contents
Rhysida ransomware emerged in May 2023 as a significant threat in the cybersecurity landscape. Operating as a Ransomware-as-a-Service (RaaS), Rhysida employs double extortion tactics, encrypting victim data and threatening to publicly release stolen information if a ransom is not paid. This combination of encryption and data exfiltration makes Rhysida a particularly dangerous threat to organizations across various sectors. The group's rapid rise and high-profile attacks, coupled with its potential links to other established ransomware groups, warrant a thorough examination of its tactics, techniques, and procedures (TTPs) to inform effective defense strategies. The group's name and logo are derived from the Rhysida genus of centipedes.
II. Origins & Evolution
Rhysida ransomware was first observed in May 2023. The group quickly established a victim support chat portal, accessible via a TOR (.onion) address, demonstrating an organized operational structure from its inception. Interestingly, Rhysida actors present themselves as a "cybersecurity team," claiming to highlight security vulnerabilities in targeted organizations. This disingenuous framing attempts to legitimize their criminal activities.
While the group's exact origins remain unclear, there is strong evidence suggesting a connection to Vice Society ransomware. Cybersecurity researchers and a joint Cybersecurity Advisory (CSA) from CISA, FBI, and MS-ISAC have noted significant similarities between Rhysida's TTPs and those of Vice Society (DEV-0832). This includes overlapping tactics, the use of each other's payloads in some instances, similar encryption methods and ransom notes, and the use of shared infrastructure (servers and domains). Furthermore, Vice Society's activity reportedly decreased around the time Rhysida emerged, leading to speculation that Rhysida may be a rebranding or a splinter group of Vice Society. Vice Society, known for targeting the education sector, shares a similar victimology profile with Rhysida, further strengthening the connection hypothesis.
The initial versions of Rhysida ransomware were considered relatively unsophisticated, lacking features commonly found in more mature ransomware families (like automatic deletion of Volume Shadow Copies). This "basic" nature of the malware, combined with the group's early success in targeting significant organizations, presents a paradox. It highlights that even relatively simple ransomware can be highly effective, particularly when combined with strong social engineering or exploitation of unpatched vulnerabilities. Since its emergence, Rhysida has shown signs of ongoing development, with new variants incorporating features like the SILENTKILL script (to terminate antivirus processes) and a Linux version, indicating the group's commitment to expanding its capabilities and target range.
III. Tactics & Techniques
Rhysida employs a range of TTPs throughout the attack lifecycle, from initial access to data exfiltration and encryption. Understanding these tactics is crucial for developing effective detection and mitigation strategies.
Initial Access: Rhysida actors primarily gain initial access through:
Compromised Credentials: Exploiting valid accounts, particularly for VPN access. The lack of multi-factor authentication (MFA) on VPNs is a significant vulnerability that Rhysida leverages.
Phishing Campaigns: Using phishing emails to deliver malware or trick users into providing credentials. Understanding different types of phishing attacks is very important.
Exploiting Vulnerabilities: Targeting known vulnerabilities, particularly Zerologon (CVE-2020-1472), a critical vulnerability in Microsoft's Netlogon Remote Protocol. This highlights the importance of timely patching, as a patch for Zerologon has been available since August 2020. They also use Typosquatting and SEO Poisoning.
Reconnaissance and Lateral Movement: Once inside the network, Rhysida actors rely heavily on "living off the land" techniques, utilizing native Windows tools for reconnaissance and lateral movement. This makes detection more challenging, as these tools are often used legitimately by system administrators. Key tools and commands include:
ipconfig(T1016): To gather network configuration information.whoami(T1033): To identify the current user context.nltest(T1482): For domain trust discovery.netcommands (T1087.002, T1018, T1069.002, T1069.001): For user and group enumeration, remote system discovery, and permission group discovery.RDP connections (
mstsc.exe) (T1021.001): For lateral movement.PsExec.exe: For remote command execution.PuTTY.exe: For SSH connections.
Defense Evasion
Rhysida uses process injection, defense evasion, credential access, discovery, lateral movement, command and control and impact.
It leverages tools such as PowerShell, wevtutil.exe, secretsdump, cmd.exe.
The ransomware attempts to delete itself after encryption is complete.
wevtutil.exeis also employed to clear event logs, further hindering detection and forensic analysis.
Credential Access: Rhysida actors employ tools to extract credentials and escalate privileges:
secretsdump: For dumping NTDS (NT Directory Services) secrets.ntdsutil.exe: For extracting the NTDS database, which contains critical Active Directory information, including password hashes. This is a high-impact action.
Persistence:
Rhysida utilizes
AnyDeskfor establishing remote access and persistence on compromised systems.
Data Exfiltration:
Actors stage malicious executables and data in
inandoutfolders located in theC:\drive.Data is exfiltrated before encryption, often using tools like MegaSync and custom PowerShell scripts.
Encryption:
Rhysida uses 4096-bit RSA encryption with the ChaCha20 algorithm.
Encrypted files are renamed with the
.rhysidaextension.A ransom note, "CriticalBreachDetected.pdf," is dropped, providing instructions for contacting the attackers via a Tor-based portal and a unique code for each victim. The note's contents are also embedded in plain text within the ransomware binary, allowing for string-based detection.
Command and Control:
The use of CleanUpLoader exhibits C2 communication via HTTPS, using multiple domains to provide redundancy in command and control.
IV. Targets or Victimology
Rhysida ransomware has demonstrated a broad targeting strategy, impacting organizations across various sectors and geographic locations. This "targets of opportunity" approach suggests a primary motivation of financial gain, rather than specific geopolitical objectives (although the potential for state-sponsored connections should not be entirely dismissed, given the possible link to Vice Society). To identify and prioritize system risks, vulnerability assessments are helpful.
Targeted Industries: Rhysida has notably impacted:
Healthcare: This sector is a frequent target due to the sensitivity of patient data and the critical need for operational continuity, making organizations potentially more likely to pay ransoms. Attacks on Prospect Medical Holdings, Unimed, and Lurie's Children's Hospital highlight this focus.
Education: Schools and universities are also targeted, aligning with the observed patterns of Vice Society.
Manufacturing: Disrupting manufacturing operations can lead to significant financial losses.
Information Technology: IT companies are attractive targets due to their potential access to client networks, offering a pathway for supply-chain attacks.
Government: Targeting government entities can provide access to sensitive information and disrupt public services.
Critical Infrastructure: Hospitals, schools, power plants, public institutions.
Geographic Distribution: Rhysida has impacted organizations globally, including:
North America: The United States has been a significant target, with numerous healthcare and education institutions affected.
Europe: The UK (British Library, King Edward VII's Hospital) and other European countries have experienced Rhysida attacks.
South America: There were victims in this part of the world.
Middle East: Victims were located in this part of the world.
Organizational Size: While Rhysida has targeted some large organizations (e.g., Prospect Medical Holdings, British Library), the "targets of opportunity" approach suggests they are not exclusively focused on large enterprises.
V. Attack Campaigns
Several high-profile attacks have been attributed to Rhysida ransomware, demonstrating the group's capabilities and impact:
Prospect Medical Holdings (August 2023): This attack severely impacted 17 hospitals and 166 clinics in the United States. Rhysida actors exfiltrated 1.3 TB of SQL databases and 1 TB of documents, including sensitive patient records and Social Security numbers. The attack forced a reversion to paper-based records and caused significant delays in patient care.
British Library (October/November 2023): This attack resulted in the theft of 600GB of data, including personal information of users and staff. The library chose not to pay the ransom, and recovery costs were estimated to be substantial (millions of pounds). This attack highlighted the vulnerability of legacy systems and the long-term impact of ransomware attacks.
Insomniac Games (December 2023): Rhysida stole and leaked sensitive data from the game developer, including HR documents, employee passport scans, details of upcoming projects, and contracts. This attack demonstrates Rhysida's willingness to publicly release stolen data.
King Edward VII's Hospital (Late November 2023): Rhysida claimed to have stolen data related to the Royal Family, although this was not confirmed. Other patient data was compromised.
HSE (Slovenian Power Generation Company, November 2023): This attack targeted critical infrastructure. While power generation was reportedly not disrupted, Rhysida stole contracts, invoices, legal documents, and financial data.
Chilean Army: Demonstrates international reach and potential geopolitical implications.
World Council of Churches (December 26, 2023):
London High School
U.K. Vocational Training School
Kaunas University of Technology in Lithuania
Tshwane University of Technology in South Africa
Sports Club in Qatar
V. Defenses
Combating Rhysida ransomware requires a multi-layered defense strategy that incorporates proactive prevention, robust detection, and effective incident response.
Multi-Factor Authentication (MFA): Enforce MFA, especially for VPNs, remote access services (like RDP), and critical systems. This is crucial for preventing Rhysida's common initial access tactic of exploiting compromised credentials.
Patch Management: Regularly patch and update all systems, prioritizing known exploited vulnerabilities in internet-facing systems. Specifically, ensure the Zerologon vulnerability (CVE-2020-1472) is patched. A solid patch management strategy is very important.
Network Segmentation: Implement network segmentation to limit the lateral movement of attackers within the network. This can contain the spread of ransomware even if one part of the network is compromised.
Least Privilege: Apply the principle of least privilege, granting users only the minimum access rights necessary for their roles. This limits the potential damage an attacker can cause with compromised credentials.
User Awareness Training: Educate users about phishing attacks, social engineering tactics, and the dangers of opening suspicious attachments or clicking on unknown links. This is critical for preventing initial access via phishing.
Endpoint Detection and Response (EDR): Deploy EDR solutions to monitor endpoints for suspicious activity and provide rapid response capabilities. Centralized logging, especially on domain controllers, is crucial.
Disable Unused Services and Ports: Disable RDP if it's not needed. Close unused ports to reduce the attack surface.
Offline Backups: Maintain regular, offline, encrypted, and immutable backups of critical data. Test the restoration process regularly to ensure data can be recovered quickly in the event of an attack.
Email Security: Implement email security measures, such as email banners for external emails and disabling hyperlinks in emails from untrusted sources.
PowerShell Hardening: Update PowerShell to the latest version, uninstall older versions, enable enhanced logging, and restrict PowerShell execution where possible.
Network Monitoring: Implement network monitoring tools to detect unusual traffic patterns, communication with known C2 servers, and potential data exfiltration attempts. A SIEM or security information and event management system can assist with this.
Advanced Threat Detection: Implement detection rules for file scanning and log analysis.
Incident Response Plan: Develop and regularly test an incident response plan to ensure a coordinated and effective response to a ransomware attack. Having a cyber incident response plan is crucial.
Validation of Security Controls: Emphasize the importance of regularly testing and validating security controls against the ATT&CK techniques.
Secure-by-design and -default principles.
VI. Conclusion
Rhysida ransomware represents a significant and evolving threat to organizations across various sectors. Its use of double extortion tactics, reliance on "living off the land" techniques, and potential connection to Vice Society make it a formidable adversary. While early versions of the ransomware were relatively unsophisticated, the group has demonstrated a commitment to ongoing development and expansion of its capabilities. The existence of a decryption tool (for some variants) offers a glimmer of hope, but prevention remains the most effective defense. Organizations must prioritize robust security measures, including MFA, patching, network segmentation, user awareness training, and EDR, to mitigate the risk posed by Rhysida and other ransomware threats. The threat landscape is constantly evolving, and continuous vigilance, adaptation, and information sharing are essential for staying ahead of emerging threats like Rhysida. To understand indicator of compromise, it is essential to follow new cybersecurity updates.
Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this.
You may also like these articles:
• Ransomware Payments Drop 35% in 2024 as Law Enforcement Disrupts Cybercrime
• International Cybercrime Takedown: Four European Hackers Arrested in Phuket Ransomware Operation
• AI-Driven Ransomware FunkSec Targets 85 Victims in December 2024
• Top 10 Cybersecurity Trends to Expect in 2025
• Russian Ransomware Hackers Exploit Microsoft Teams as Fake Tech Support Scam
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- March 14, 2025
- March 14, 2025
- March 14, 2025
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- March 14, 2025
- March 14, 2025
- March 14, 2025
