Rhysida: The New Ransomware Group

The Rhysida ransomware group was first observed in May 2023, following the emergence of their victim support chat portal hosted via TOR (.onion). Not much is currently known about the threat actors behind Rhysida in terms of origin or affiliations. They do, however, pose themselves as a “cybersecurity team” doing their victims a favor by targeting their systems and highlighting the supposed potential ramifications of the involved security issues.

Who Does Rhysida Target?

Rhysida ransomware campaigns do not appear to specific or targeted. They have attacked education, government, manufacturing, and technology and managed service provider sectors. At the time of publication of this article, over 30 organizations have been impacted. Some of their victims include:

• The Chilean Army

• Prospect Medical Holdings (USA)

• Kenyan Bureau of Standards (KEBS)

• Optimum Health Solutions (Australia)

Despite their claims that they assist victims in finding security weaknesses within their networks and system, Rhysida is a ransomware group driven by financial gains.

The first clue you may see that you have fallen victim to Rhysida are the ransom note PDF files (which typically have the name CriticalBreachDetected.pdf) scattered across affected folders on compromised computers. Cheekily, the ransom note presents itself as a "critical breach" alert from the Rhysida "cybersecurity team." Don't be under any illusions. Your computer has been the victim of a cybercriminal attack. In typical ransomware fashion, files on compromised drives have been exfiltrated and the copies left behind encrypted.

They instruct their victims to visit their support portal, and from there they are given instructions on how to purchase Bitcoin (BTC) pay the ransom.

How does Rhysida Ransomware Work?

A Trend Micro report focuses on the most commonly observed Rhysida attack chain, explaining that the threat group uses phishing emails to achieve initial access, then deploys Cobalt Strike for lateral movement, and PsExec to execute PowerShell scripts, and eventually drops the locker. The PowerShell script (g.ps1), detected as Trojan.PS1.SILENTKILL.A, is used by the threat actors to terminate antivirus-related processes and services, delete shadow copies, modify remote desktop protocol (RDP) configurations, and change the active directory (AD) password.

Rhysida ransomware employs a 4096-bit RSA key and AES-CTR for file encryption. After successful encryption, it appends the .rhysida extension and drops the ransom note CriticalBreachDetected.pdf.

Impact of Rhysida Ransomware

Rhysida ransomware holds your organization’s data hostage. If you don’t have a secure backup of that data, and depending on the laws of the country in which the organization is operating from, there may be no choice but to negotiate with the extortionists and pay the ransom. However, there is still no guarantee that the data will be recovered, and that the ransomware group will delete the stolen data.

In the event that a secure backup exists, then you not only have the hassle of restoring your systems, but you may also worry about the damage which could be done to your brand, your customer relationships, and partnerships if the Rhysida group follows through on its threats and publishes the stolen data on the dark web.

Either way, there is still the headache of determining precisely how the criminals managed to break into your computer systems and harden defenses to prevent it from happening again.

All of these scenarios lead to reputational damage, financial loss, loss of productivity, etc.

The best solution is to ensure the prevention and mitigation of the ransomware attack in the first place.

Detecting and Mitigating Rhysida Ransomware

The best practices for defending against ransomware attacks still holds true for Rhysida and other ransomware families. They include:

• Use anti-malware software and other security tools (such as XDR) capable of detecting and blocking known ransomware variants and detecting abuse of legitimate applications

• Implement backup and disaster recovery: Organizations should implement regular backup and disaster recovery (BDR) processes, to ensure that they can recover from ransomware attacks, or other disasters. This includes creating regular backups of all data and systems, and storing these backups in a secure, offsite location. The backups should be tested regularly, to ensure that they are working, and that they can be restored quickly and easily.

• Educate employees: Employees should be educated on the risks of ransomware, and on how to identify and avoid phishing emails, malicious attachments, and other threats. They should be encouraged to report suspicious emails or attachments, and to avoid opening them, or clicking on links or buttons in them.

• Update and patch systems: Organizations should regularly update and patch their systems, to fix any known vulnerabilities, and to prevent attackers from exploiting them.

• Implement strong passwords: Organizations should implement strong, unique passwords for all user accounts, and should regularly update and rotate these passwords. A reputable password manager can assist with this.

• Enable multi-factor authentication: Organizations should enable multi-factor authentication (MFA) for all user accounts, to provide an additional layer of security.

• Encrypt sensitive data wherever possible.

• Network segmentation: Restrict an attacker's ability to spread laterally through your organization by implementing network segmentation.

• Review event and incident logs.

References

• https://www.sentinelone.com/anthology/rhysida/

• https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html

• https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/

• https://www.bleepingcomputer.com/news/security/rhysida-ransomware-behind-recent-attacks-on-healthcare/

• https://www.tripwire.com/state-of-security/rhysida-ransomware-what-you-need-know

• https://blog.talosintelligence.com/rhysida-ransomware/