Ransomware Spotlight: Rhysida




Rhysida

By Trend Research


View infographic of View infographic of "Ransomware Spotlight: Rhysida"

The threat actors behind the Rhysida ransomware targeted multiple industries by posing as a cybersecurity team that offered to help its victims identify security weaknesses in their networks and systems. Although the group’s activity was first observed back in May 2023, its leak site was established as early as March 2023. Like other ransomware groups, it employs double extortion tactics to pressure its victims into paying a ransom demand in bitcoin.

What organizations need to know about Rhysida ransomware

Motivated by financial gain, Rhysida’s operators have been known to use phishing attacks as a means of gaining initial access, after which Cobalt Strike is used for lateral movement in infected machines. In July 2023, our telemetry found that the Rhysida ransomware was using PsExec to deliver a script, detected as SILENTKILL, to terminate antivirus programs.

In August, our telemetry found PowerShell versions of the Rhysida ransomware. Notably, the PowerShell variant does not include any command-line arguments for execution. In the same month, the Health Sector Cybersecurity Coordination Center (HC3) also issued a security alert about Rhysida targeting the health sector, stating that the group has hit several healthcare providers and hospitals.

Similarly, the Cybersecurity and Infrastructure Security Agency (CISA) released an advisory on Rhysida in November 2023 that pointed to similarities between the group’s tactics, techniques, and procedures (TTPs) and those of another ransomware group called Vice Society, which had also been found to be using the Rhysida ransomware. The Linux version of Rhysida was released within the same month.

Earlier this month, South Korean researchers from Kookmin University released a technical paper detailing their discovery of an implementation vulnerability in Rhysida’s code. An automated Rhysida decryption tool has also been made publicly available on the Korea Internet and Security Agency’s (KISA) website.

Top affected countries and industries according to Trend Micro data

This section discusses Trend Micro™ Smart Protection Network™ data on Rhysida’s attempts to compromise organizations. Although Rhysida activity was first spotted in May 2023, these detections were collected from January 2023 to January 2024 and pertain only to Trend customers. In this period, Rhysida attack attempts climbed steadily, peaking in December 2023 before a steep decline the following month.

A monthly breakdown of detected Rhysida ransomware attempted attacks in terms of infected machines (January 2023 – January 2024)

Figure 1. A monthly breakdown of detected Rhysida ransomware attempted attacks in terms of infected machines (January 2023 – January 2024)
Source: Trend Micro™ Smart Protection Network™


Jordan topped the list of Rhysida attack detections at 24.5%, with the United States and Indonesia following at 16% and 11.7%, respectively. Taiwan and Singapore rounded up the top five countries targeted by Rhysida over this period of activity.

Figure 2. Countries with the highest number of attack attempts in terms of infected machines for Rhysida ransomware (January 2023 – January 2024)

Figure 2. Countries with the highest number of attack attempts in terms of infected machines for Rhysida ransomware (January 2023 – January 2024)
Source: Trend Micro Smart Protection Network


Based on feedback from Trend customers who specified their industries, the cybercriminals behind the Rhysida ransomware set their sights on many healthcare organizations, with these attack attempts composing 4.8% of total detections. Rhysida also targeted enterprises in the manufacturing and finance industries.

Figure 3.  An industry breakdown of Rhysida ransomware attack attempts in terms of infected machines (January 2023 – January 2024)

Figure 3. An industry breakdown of Rhysida ransomware attack attempts in terms of infected machines (January 2023 – January 2024)
Source: Trend Micro Smart Protection Network

Targeted regions and industries according to Rhysida’s leak site

This section examines data observed on the Rhysida ransomware's leak site from June 7, 2023 to Jan. 13, 2024. Based on Trend’s open-source intelligence (OSINT) research and our investigation of the leak site within this period, the Rhysida ransomware compromised a total of 71 organizations that refused to pay the ransom demand as of this writing.

European organizations made up the lion's share of victims identified in Rhysida’s leak site at 46.5%, followed by 23.9% of organizations that were operating from North America. Those in the Middle East were also at the receiving end of Rhysida attacks at 9.9%.

Figure 4. The distribution by region of Rhysida ransomware’s victim organizations (June 7, 2023 – Jan. 13, 2024)

Figure 4. The distribution by region of Rhysida ransomware’s victim organizations (June 7, 2023 – Jan. 13, 2024)
Sources: Rhysida ransomware’s leak site and Trend’s OSINT research

However, the United States topped the list of countries targeted by Rhysida attacks, composing 22.5% of the victim organizations. Those from the United Kingdom accounted for 14.1% of Rhysida victims, while organizations based in Italy made up 9.9%.

Figure 5. The distribution by country of Rhysida ransomware’s victim organizations (June 7, 2023 – Jan. 13, 2024)

Figure 5. The distribution by country of Rhysida ransomware’s victim organizations (June 7, 2023 – Jan. 13, 2024)
Sources: Rhysida ransomware’s leak site and Trend’s OSINT research


According to the leak site data, the academe was the most heavily targeted industry by Rhysida ransomware attacks at 35.2%. Healthcare organizations and the government sector were also affected, at 12.7% and 11.3%, respectively.

Figure 6. The distribution by industry of Rhysida ransomware’s victim organizations (June 7, 2023 – Jan. 13, 2024)

Figure 6. The distribution by industry of Rhysida ransomware’s victim organizations (June 7, 2023 – Jan. 13, 2024)
Sources: Rhysida ransomware’s leak site and Trend’s OSINT research

Rhysida focused primarily on small-sized businesses that had one to 200 employees and which composed more than half of the targeted organizations at 53.5%. Mid-sized businesses were a distant second at 21.1%, with enterprises trailing behind at 14.1%.

Figure 7. The distribution by organization size of Rhysida ransomware’s victim organizations (June 7, 2023 – Jan. 13, 2024)

Figure 7. The distribution by organization size of Rhysida ransomware’s victim organizations (June 7, 2023 – Jan. 13, 2024)
Sources: Rhysida ransomware’s leak site and Trend’s OSINT research

Infection chain and techniques

Figure 8. Trigona ransomware’s infection chain

Figure 8. Rhysida ransomware infection chain


Initial Access

  • Rhysida’s threat actors allegedly use phishing for initial access.

Defense Evasion, Discovery

  • The Rhysida ransomware drops PowerShell scripts (detected as SILENTKILL) to terminate antivirus-related processes and services, delete shadow copies, and modify Active Directory passwords. These scripts are also used to set up WinRM connections.

Lateral Movement

    • Rhysida operators use Cobalt Strike beacons upon initial access. Additionally, they have been observed using PsExec to deploy the PowerShell scripts and the ransomware binary.

Impact

  • The Rhysida ransomware uses a 4096-bit RSA key and AES for file encryption. 

Other technical details

  • Rhysida’s binaries accept the following command-line arguments:
    • -d {path to encrypt} – Used to specify directory to encrypt
    • -sr – Used to delete itself after encryption
    • nobg – Used to disable modification of desktop wallpaper after encryption
    • -md5
    • -S – Executes the following:
      — Avoids ransomware routine
      — Creates scheduled tasks named “Rhsd”
  • The Rhysida ransomware contains a list of strings of files and directories to avoid.

The Windows version avoids encrypting directories with these strings in their file path:

    • $Recycle.Bin
    • Boot
    • Documents and Settings
    • PerfLogs
    • ProgramData
    • Recovery
    • System Volume Information
    • Windows
    • $RECYCLE.BIN
    • ApzData

The Linux version avoids encrypting directories with these strings in their file path:

    • /boot
    • /cdrom
    • /dev
    • /etc
    • /lib
    • /lib32
    • /lib32
    • /lib64
    • /libx32
    • /lost+found
    • /media
    • /opt
    • /proc
    • /run
    • /sbin
    • /sbin
    • /snap
    • /srv
    • /sys
    • /tmp
    • /usr

The Linux version avoids encrypting this file:

    • boot.cfg
  • The Rhysida ransomware also contains a list of extensions of files to avoid.

The Windows version avoids encrypting files with the following extensions:

    • .bat
    • .bin
    • .cab
    • .cmd
    • .com
    • .cur
    • .diagcab
    • .diagcfg
    • .diagpkg
    • .drv
    • .dll
    • .exe
    • .hlp
    • .hta
    • .ico
    • .msi
    • .ocx
    • .ps1
    • .psm1
    • .scr
    • .sys
    • .ini
    • Thumbs.db
    • .url
    • .iso

The Linux version avoids encrypting files with the following extensions:

    • .sf
    • .b00
    • .v00
    • .v01
    • .v02
    • .v03
    • .v04
    • .v05
    • .v06
    • .v07
    • .t00
    • .tgz
    • .z
  • The Rhysida ransomware drops a ransom note:

Figure 9. Rhysida ransomware’s ransom note

Figure 9. Rhysida ransomware’s ransom note

  • Encryption method: The ransomware uses a 4096-bit RSA key and AES for file encryption.

MITRE tactics and techniques

PersistenceDefense EvasionDiscoveryImpact

T1053.005 - Scheduled Task/Job: Scheduled Task
When executed with the command-line -S, it will install the following scheduled task:

Task: Rhsd
Trigger: At system start Up
Action: "{Malware File Path}\{Malware File name}" –{additional arguments could be -d, -sr, -nobg, or -md5}

T1070.004 - Indicator Removal: File Deletion
It deletes itself after execution.
For the Linux counterpart:

•If executed with the command-line -sr, it will delete itself using the following command:
 •/bin/rm -f {Malware file name}

T1222.002 - File and Directory Permissions Modification: It uses chmod to modify permissions of files it modifies to display the ransom note.

T1083 - File and Directory Discovery
It enumerates and looks for files to encrypt in all local drives. It contains a specific list of extensions and folders that it can use to verify which files to avoid encrypting.

T1082 - System Information Discovery
It obtains the following information:

•Number of processors
•System information

T1486 - Data Encrypted for Impact
It uses a 4096-bit RSA key and AES for file encryption. It avoids encrypting files with the following strings in their file name:

•.bat
•.bin
•.cab
•.cmd
•.com
•.cur
•.diagcab
•.diagcfg
•.diagpkg
•.drv
•.dll
•.exe
•.hlp
•.hta
•.ico
•.msi
•.ocx
•.ps1
•.psm1
•.scr
•.sys
•.ini
•Thumbs.db
•.url
•.iso

It avoids encrypting files found in the following folders:

•$Recycle.Bin
•$RECYCLE.BIN
•ApzData
•Boot
•Documents and Settings
•PerfLogs
•ProgramData
•Recovery
bull;System Volume Information
•Windows


It drops the following ransom note:

•{Encrypted Directory}\CriticalBreachDetected.pdf

For the PowerShell version, it avoids encrypting files with the following strings in their file name:

•CriticalBreachDetected.pdf
•CriticalBreachDetected

It drops the following ransom note:

•boot.cfg

It avoids encrypting files with the following extensions:

•.sf
•.b00
•.v00
•.v01
•.v02
•.v03
•.v04
•.v05
•.v06
•.v07
•.t00
•.tgz
•.z


It avoids encrypting files found in the following folders:

•/boot
•/cdrom
•/dev
•/etc
•/lib
•/lib32
•/lib64
•/libx32
•/lost+found
•/media
•/opt
•/run
•/sbin
•/snap
•/srv
•/sys
•/tmp
bull;/usr


T1490 - Inhibit System Recovery
It uses vssadmin to remove volume shadow copies.

T1491.001 - Internal Defacement
It changes the desktop wallpaper after encryption and prevents the user from changing it back by modifying the NoChangingWallpaper registry value.

Trend Micro Vision One hunting query

Trend Vision One customers can use the following hunting query to search for Rhysida ransomware within their system:

processCmd:"powershell.exe*\\*$\?.ps1" OR (objectFilePath:"?:*\\??\\psexec.exe" AND
processCmd:"*cmd.exe*\\??\\??.bat")

Summary of malware, tools, and exploits used

Initial AccessLateral MovementDefense EvasionImpact
  • Phishing

    Rhysida has been known to employ phishing as a means of initial access.
  • PsExec

    This is the Microsoft tool used for remote execution.
  • SILENTKILL

    This is used to terminate antivirus processes.
  • Rhysida ransomware

    This is the ransomware payload.
  • Cobalt Strike beacons

    This is the third-party tool abused to deliver other related tools and execute arbitrary commands.
  • SYSTEMBC

    External reports indicate that this backdoor was used on Rhysida-infected machines.

Security recommendations

<

Although the Rhysida ransomware has kept a low profile so far, its ties to other ransomware groups and the ruse with which it lures in victims only stress the importance of staying vigilant in the face of insidious cyberattacks. The evolution of ransomware threats like Rhysida is a clarion call for organizations to bolster their security posture and develop a solid defense strategy. We list security best practices that businesses can adopt to better protect themselves and their data from the risk of Rhysida ransomware infection here:


Audit and inventory

  • Take an inventory of assets and data.
  • Identify authorized and unauthorized devices and software.
  • Make an audit of event and incident logs.

Configure and monitor

  • Manage hardware and software configurations.
  • Grant admin privileges and access only when necessary to an employee’s role.
  • Monitor network ports, protocols, and services.
  • Activate security configurations on network infrastructure devices such as firewalls and routers.
  • Establish a software allowlist that executes only legitimate applications.

Patch and update

  • Conduct regular vulnerability assessments.
  • Perform patching or virtual patching for operating systems and applications.
  • Update software and applications to their latest versions.

Protect and recover

  • Implement data protection, backup, and recovery measures.
  • Enable multifactor authentication (MFA).

Secure and defend

  • Employ sandbox analysis to block malicious emails.
  • Deploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and network.
  • Detect early signs of an attack such as the presence of suspicious tools in the system.
  • Use advanced detection technologies such as those powered by artificial intelligence (AI) and machine learning (ML).

Train and test

  • Regularly train and assess employees in security skills.
  • Conduct red-team exercises and penetration tests.
  • A multilayered approach can help organizations guard possible entry points into the system (endpoint, email, web, and network). Security solutions that can detect malicious components and suspicious behavior can also help protect enterprises.

A multilayered approach can help organizations guard possible entry points into the system (endpoint, email, web, and network). Security solutions that can detect malicious components and suspicious behavior can also help protect enterprises.

  • Trend Vision One™ provides multilayered protection and behavior detection, which helps block questionable behavior and tools early on before ransomware can do irreversible damage to the system.
  • Trend Micro Cloud One™ – Workload Security protects systems against both known and unknown threats that exploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine learning.
  • Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and advanced analysis techniques to effectively block malicious emails, including phishing emails that can serve as entry points for ransomware.
  • Trend Micro Apex One™ offers next-level automated threat detection and response against advanced concerns such as fileless threats and ransomware, ensuring the protection of endpoints.

Indicators of compromise (IOCs)

The IOCs for the threat discussed in this article can be found here. Actual indicators might vary per attack.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.