Rhysida Ransomware: The Silent Serpent

Overview

• Sophisticated understanding of Windows systems and network administration.
• High level of technical skill and adaptability.
• Financially driven motive (RaaS model).
• Targets of opportunity (various sectors).
• Uses Tor-based communication for anonymity and evasion.
• Uses many legitimate tools for malicious purposes.

Known Aliases:

• Rhysida
• Potential connection or overlap with Vice Society (DEV-0832).

Country of Origin:

• Unknown

Known High-Profile/Notable Attacks/Victims:

• British Library cyberattack (2023): A notable attack resulting in data encryption and disruption.
• Insomniac Games data dump (2023): Leaked details of Marvel’s Wolverine game and employee information.
• Chilean army (2023): Chilean army Targeted by the Rhysida group.
• City of Columbus, Ohio (July 2024): Over 3 TB of data released on the dark web after a failed extortion attempt of $1.7M (30 Bitcoin).
• Seattle-Tacoma International Airport (August 2024): Suffered a cyberattack attributed to Rhysida.
• Rutherford County Schools (Tennessee, November 2024): Data stolen and apparently sold by the attackers.

Common Methods of Infiltration:

• Exploitation of Vulnerabilities:
  • Zerologon (CVE-2020-1472) in Microsoft’s Netlogon Remote Protocol.
• Compromised Credentials:
  • Used to authenticate to internal VPN access points.
• Phishing:
  • Successful phishing campaigns are a key initial access vector.
• Ransomware-as-a-Service (RaaS):
  • Leases tools and infrastructure to affiliates.
• Lateral Movement:
  • RDP connections.
  • VPN access.
  • PowerShell scripts.
  • PsExec for remote execution.
• Living off the Land:
  • Uses built-in Windows tools (ipconfig, whoami, nltest, net commands).

Malware/Ransomware Strain(s) Used:

• Rhysida ransomware:
  • 64-bit Windows executable.
  • Compiled using MinGW and GCC.
  • 4096-bit RSA encryption key with ChaCha20 algorithm.
  • “.rhysida” file extension.
• Ransom note: PDF file named “CriticalBreachDetected.”

Tools Of Trade

Command-Line Utilities and Scripting:

• cmd.exe: The native Windows command prompt. Used for executing commands and scripts. Its ubiquity makes detection of malicious use challenging.
• PowerShell.exe: A powerful scripting tool native to Windows. Used for various malicious activities, including reconnaissance, lateral movement, and execution of other tools. Its flexibility makes it a favorite among threat actors.
• Batch Scripts (.bat): Simple scripts used for automating tasks. Rhysida uses these to orchestrate the ransomware deployment process, copying malicious executables and initiating encryption.

Remote Access and Execution:

• PsExec.exe (from PsTools): A tool for executing processes remotely. Heavily leveraged by Rhysida for lateral movement and remote code execution across the victim’s network. Its ability to bypass some security measures makes it particularly dangerous.
• mstsc.exe: The native Remote Desktop Protocol (RDP) client. Used to establish RDP connections for remote access and control of compromised systems.
• PuTTY.exe: An SSH client. Used to establish SSH connections for lateral movement, indicating potential compromise of systems beyond Windows environments.
• AnyDesk: Remote desktop software, commonly used legitimately but also easily abused for malicious remote access and persistence.

Information Gathering and Reconnaissance:

• ipconfig: A standard Windows command-line utility for displaying network configuration information. Used by Rhysida for network reconnaissance.
• whoami: Displays the currently logged-in user’s account information. Used for reconnaissance to understand the privileges of the compromised account.
• nltest: A command-line tool for testing network connectivity and domain trust relationships. Used for network mapping and reconnaissance.
• net commands: A suite of commands for managing network resources (users, groups, shares, etc.). Used to enumerate users, groups, and computers within the victim’s domain, gathering valuable information for further exploitation.
• PowerView: A PowerShell-based tool for gaining situational awareness of Windows domains. Used for advanced reconnaissance and credential harvesting.

Data Extraction and Manipulation:

• secretsdump: Extracts credentials and other sensitive information from a system’s memory. Used for credential harvesting, particularly targeting the NTDS database (Active Directory).
• ntdsutil.exe: A standard Windows tool for interacting with the NTDS database. Used by Rhysida to dump the NTDS.dit database, potentially obtaining hashes for all Active Directory users. This requires high-level domain privileges.
• wevtutil.exe: A Windows Event Utility tool for viewing event logs. Used to clear event logs, attempting to cover the attackers’ tracks and hinder incident response efforts.

Custom Tools:

• PortStarter: A custom backdoor script (written in Go) for modifying firewall settings and opening ports to communicate with command-and-control (C2) servers. This allows persistent access even after initial compromise.
• Tools with “Rhysida-0.1” in their names: Custom tools developed by the threat actors, indicating a level of sophistication and potentially custom capabilities beyond readily available tools.

MITRE ATT&CK Tactics and Techniques

Initial Access:

• T1078: Valid Accounts: The attackers use compromised legitimate user accounts to gain initial access to the network, often via VPN. This highlights the critical need for strong password hygiene and MFA.
• T1190: Exploit Public-Facing Application: The exploitation of Zerologon (CVE-2020-1472) falls under this technique. This emphasizes the importance of timely patching of vulnerabilities.
• T1566: Phishing: Successful phishing attacks are used as an initial access vector, demonstrating the ongoing effectiveness of social engineering attacks.

Execution:

• T1059.003: PowerShell: PowerShell is used for various malicious activities, including executing other tools and scripts. Its versatility makes it a popular choice for threat actors.

Persistence:

• T1219: Remote Access Software: The use of AnyDesk for remote access demonstrates the attackers’ efforts to maintain persistent access to the victim’s network.

Privilege Escalation:

• T1078: Valid Accounts (again): While listed under initial access, gaining access to accounts with higher privileges is also a form of privilege escalation.

Defense Evasion:

• T1070.001: Indicator Removal on Host: The clearing of Windows event logs using wevtutil.exe is an attempt to hinder incident response and investigation efforts.

Credential Access:

• T1003.003: OS Credential Dumping: The use of secretsdump and ntdsutil.exe to extract credentials from the system and Active Directory is a key tactic for gaining further access and control.

Discovery:

• T1016: System Information Discovery: Using commands like ipconfig and whoami gathers information about the compromised system and network.
• T1033: Account Discovery: Identifying logged-in users and network accounts provides valuable information for lateral movement.
• T1087.002: Account Discovery: Using net user commands to gather information about user accounts.
• T1018: Group Policy Discovery: Using net group commands to discover group memberships (domain computers, domain admins).
• T1069.002: Domain Group Discovery: Similar to above, focusing on domain groups.
• T1069.001: Local Group Discovery: Discovering local administrator groups.
• T1482: Network Share Discovery: Using nltest and other tools to discover network shares.

Lateral Movement:

• T1021.001: Remote Services: Using RDP and VPN connections for lateral movement within the network.
• T1021.004: Remote Services: Using SSH (PuTTY) for lateral movement