Threat Research

#StopRansomware: Rhysida Ransomware | CISA

Securonix

The FBI, CISA, and MS-ISAC release a joint Cybersecurity Advisory detailing Rhysida ransomware IOCs and TTPs observed through investigations up to September 2023, including initial access via external-facing remote services, Zerologon exploitation, and phishing, plus living-off-the-land techniques and encryption with double extortion. The advisory also notes links to Vice Society and a ransomware-as-a-service (RaaS) model, and provides mitigations and defense recommendations for affected sectors.
#Rhysida #ViceSociety #RaaS #Zerologon #OnionMail

Keypoints

  • Rhysida is a ransomware variant observed since May 2023, targeting education, healthcare, manufacturing, IT, and government sectors.
  • Initial access commonly occurs via exposed remote services (VPNs) with compromised credentials and through Zerologon vulnerabilities and phishing.
  • Living-off-the-land techniques are used, including RDP for lateral movement, VPN, PowerShell, and in-depth system enumeration (ipconfig, whoami, nltest, net commands).
  • Rhysida repurposes legitimate tools (cmd.exe, PowerShell, PsExec, mstsc, PuTTY, AnyDesk) to execute, move laterally, or maintain persistence.
  • Encryption uses a 4096-bit RSA key with ChaCha20, appends .Rhysida to encrypted files, and follows with a ransom note and double extortion (data theft threat).
  • IOCs include C2 IPs, Onion Mail addresses, and a set of malicious files/executables listed in the report.

MITRE Techniques

  • [T1587] Develop Capabilities – Rhysida actors have been observed developing resources and custom tools, particularly with program names set to “Rhysida-0.1” to gain access to victim systems. ‘Rhysida actors have been observed developing resources and custom tools, particularly with program names set to “Rhysida-0.1” to gain access to victim systems.’
  • [T1078] Valid Accounts – Rhysida actors are known to use valid credentials to access internal VPN access points of victims. ‘Rhysida actors are known to use valid credentials to access internal VPN access points of victims.’
  • [T1190] Exploit Public-Facing Application – Exploiting Zerologon, a critical elevation of privilege vulnerability in Microsoft’s Netlogon Remote Protocol. ‘Exploiting Zerologon, a critical elevation of privilege vulnerability in Microsoft’s Netlogon Remote Protocol.’
  • [T1566] Phishing – Rhysida actors are known to conduct successful phishing attacks. ‘Phishing’
  • [T1059.001] PowerShell – PowerShell commands (ipconfig, nltest, net) and various scripts to execute malicious actions. ‘PowerShell commands (ipconfig), nltest, net) and various scripts to execute malicious actions.’
  • [T1059.003] Windows Command Shell – Batch scripting to place 1.ps1 on victim systems to automate ransomware execution. ‘batch scripting to place 1.ps1 on victim systems to automate ransomware execution.’
  • [T1021.001] Remote Services: Remote Desktop Protocol – RDP for lateral movement. ‘Remote Desktop Protocol (RDP) … lateral movement.’
  • [T1021.004] Remote Services: SSH – PuTTy and remotely connect to victim systems via SSH. ‘PuTTy to remotely connect to systems via SSH [T1021.004].’
  • [T1219] Remote Access Software – AnyDesk used to obtain remote access and maintain persistence. ‘AnyDesk … to obtain remote access to victim systems and maintain persistence.’
  • [T1486] Data Encrypted for Impact – Encrypts data using a 4096-bit RSA key with ChaCha20; extension .Rhysida. ‘encrypted victim data using a 4096-bit RSA encryption key that implements a ChaCha20 algorithm.’
  • [T1657] Financial Theft – Double extortion; ransom demanded with threats to publish exfiltrated data. ‘double extortion’ … ‘ransom payment to decrypt victim data and threatening to publish the sensitive exfiltrated data’
  • [T1003.003] OS Credential Dumping: NTDS – Secretsdump to extract credentials and NTDS credentials. ‘secretsdump to extract credentials and other confidential information from a system, then dumping the NTDS credentials.’
  • [T1112] Modify Registry – Registry modification commands via cmd.exe. ‘registry modification commands via cmd.exe.’
  • [T1016] System Network Configuration Discovery – ipconfig to enumerate network settings. ‘ipconfig to enumerate victim system network settings.’
  • [T1018] Remote System Discovery – net group “domain computers” /domain to enumerate servers. ‘net group “domain computers” /domain to enumerate servers on a victim domain.’
  • [T1033] System Owner/User Discovery – whoami and net commands to identify logged-in users. ‘whoami … to identify logged-in users.’
  • [T1069.001] Permission Groups Discovery: Local Groups – net localgroup administrators to identify local admins. ‘net localgroup administrators’
  • [T1069.002] Permission Groups Discovery: Domain Groups – net group “domain admins” /domain to identify domain admins. ‘net group “domain admins” /domain’
  • [T1087.002] Account Discovery: Domain Account – net user [username] /domain to identify domain accounts. ‘net user [username] /domain’
  • [T1482] Domain Trust Discovery – nltest to enumerate domain trusts. ‘nltest’ to enumerate domain trusts.
  • [T1055.002] Process Injection: Portable Executable Injection – Injected a Windows 64-bit PE cryptographic ransomware into running processes. ‘injected a Windows 64-bit PE cryptographic ransomware application into running processes.’
  • [T1070.001] Indicator Removal: Clear Windows Event Logs – Used wevtutil.exe to clear event logs. ‘clear Windows event logs, including system, application, and security logs.’
  • [T1070.004] Indicator Removal: File Deletion – PowerShell commands to delete binary strings. ‘delete binary strings.’
  • [T1564.003] Hide Artifacts: Hidden Window – Hidden PowerShell windows. ‘executed hidden PowerShell windows.’

Indicators of Compromise

  • [IP Address] C2 IP addresses – 5.39.222[.]67, 51.77.102[.]106, and 6 more IPs (Sophos investigations)
  • [IP Address] C2 IP addresses – 108.62.118[.]136, 108.62.141[.]161, 146.70.104[.]249, 156.96.62[.]58, 157.154.194[.]6
  • [Email Address] Communication/operational accounts – rhysidaeverywhere@onionmail[.]org, rhysidaofficial@onionmail[.]org
  • [SHA256] File hashes – conhost.exe:6633fa85bb234a75927b23417313e51a4c155e12f71da3959e168851a600b010, psexec.exe:078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b
  • [SHA256] Additional hashes – S_0.bat:1c4978cd5d750a2985da9b58db137fc74d28422f1e087fd77642faa7efe7b597, 1.ps1:4e34b9442f825a16d7f6557193426ae7a18899ed46d3b896f6e4357367276183
  • [File Name] Supporting tools – Sock5.sh, PsExec64.exe, PsExec.exe (and 2 more hashes)

Read more: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint