Threat Research

Threat Profile: Rhysida Ransomware – SOCRadar® Cyber Intelligence Inc.

Securonix

Rhysida Ransomware Group emerged in May 2023 as a RaaS operation, targeting sectors such as education and manufacturing with double-extortion and public data leakage. The attackers use phishing and Cobalt Strike, encrypt data with RSA-4096 and ChaCha20, and maintain a Tor presence for victim contact and data listings. #Rhysida #ChileanArmy

Keypoints

  • Rhysida is a Ransomware-as-a-Service (RaaS) group that emerged in late May 2023 and has attacked education, manufacturing, and government sectors.
  • Primary attack methods include deployment via Cobalt Strike and phishing campaigns, with ransom notes delivered as PDFs.
  • The group uses double-extortion tactics, threatening public distribution of exfiltrated data and operating a TOR page for victims and auctions.
  • Encryption employs a 4096-bit RSA key with ChaCha20; ransom notes are generated as PDFs and embedded content is in clear text.
  • Targets span North America, Europe, and Australia, with notable victims including the Chilean Army and University of West Scotland.
  • A collaborative advisory from CISA, FBI, and MS-ISAC outlines IOCs, TTPs, and mitigation strategies; a free Windows decryption tool has been released for Rhysida.
  • Rhysida’s alleged connection to Vice Society and the group’s use of TOR for data leaks highlight overlaps in tactic and infrastructure among modern education-focused actors.

MITRE Techniques

  • [T1566] Phishing – Initial access via phishing campaigns. “phishing campaigns for initial access.”
  • [T1133] External Remote Services – Use of external-facing remote services for initial access. “external-facing remote services and exploiting vulnerabilities like Zerologon (CVE-2020-1472) and phishing campaigns for initial access.”
  • [T1078] Valid Accounts – Authentication to internal VPN access points using compromised credentials. “authenticate to internal VPN access points using compromised credentials.”
  • [T1021.001] Remote Services – Lateral movement via Remote Desktop Protocol (RDP) connections. “creating Remote Desktop Protocol (RDP) connections for lateral movement.”
  • [T1059] Command and Scripting Interpreter – Command-line activity and scripting used during execution. “getting output from the command line, which apparently scans the files, runs the ‘file_to_crypt’ function’.”
  • [T1486] Data Encrypted for Impact – Encryption phase using strong cryptography. “For the encryption phase, Rhysida uses a 4096-bit RSA key with the ChaCha20 algorithm.”
  • [T1041] Exfiltration – Data exfiltration followed by public disclosure. “threatens victims with public distribution of the exfiltrated data.”

Indicators of Compromise

  • [URL] context – https://ipapi.com/json/
  • [Hash (SHA-256)] context – a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6, 6903b00a15eff9b494947896f222bd5b093a63aa1f340815823645fd57bd61de
  • [Hash (SHA-1)] context – 7abc07e7f56fc27130f84d1c7935a0961bd58cb9
  • [Hash (MD-5)] context – 59a9ca795b59161f767b94fc2dece71a

Read more: https://socradar.io/threat-profile-rhysida-ransomware/