![]() Once the key and IV are encrypted, Rhysida will proceed to encrypt the file using LibTomCrypt’s ctr_encrypt function.The generated key and IV are then encrypted with the rsa_encrypt_key_ex function.It will use the ctr_start function to initialize the cipher that will be used, which is aes (from the variable CIPHER), in counter or CTR mode.After it reads file contents for encryption, it will use the initialized PRNG’s function, chacha20_prng_read, to generate both a key and an IV that are unique for each file.It will use the find_cipher function to store the algorithm to be used (still aes), in the variable CIPHER.Īfterward, it will proceed to also register and declare aes for its Cipher Hash Construction (CHC) functionalities.īased on our analysis, Rhysida’s encryption routine follows these steps:.It will use the register_cipher function to “register” the algorithm (in this case, aes), to its table of usable ciphers.Malware: RHYSIDA, SILENTKILL, Cobalt StrikeĪfter the PRNG is initialized, Rhysida then proceeds to import the embedded RSA key and declares the encryption algorithm it will use for file encryption:.Summary of malware and tools used by Rhysida The ransom demand comes in the form of a “unique key” designed to restore encrypted files, which must be paid for by the victim. This ransom note is fairly unusual - instead of an outright ransom demand as seen in most ransom notes from other ransomware families, the Rhysida ransom note is presented as an alert from the Rhysida “cybersecurity team” notifying victims that their system has been compromised and their files encrypted. rhysida extension and drops the ransom note CriticalBreachDetected.pdf. After successful encryption, it appends the. Rhysida ransomware employs a 4096-bit RSA key and AES-CTR for file encryption, which we discuss in detail in a succeeding section. Interestingly, it appears that the script (g.ps1) was updated by the threat actors during execution, eventually leading us to a PowerShell version of the Rhysida ransomware. The PowerShell script (g.ps1), detected as, is used by the threat actors to terminate antivirus-related processes and services, delete shadow copies, modify remote desktop protocol (RDP) configurations, and change the active directory (AD) password. Rhysida ransomware usually arrives on a victim’s machine via phishing lures, after which Cobalt Strike is used for lateral movement within the system.Īdditionally, our telemetry shows that the threat actors execute PsExec to deploy PowerShell scripts and the Rhysida ransomware payload itself. The threat actor also targets organizations around the world, with SPN data showing several countries where Rhysida binaries were detected, including Indonesia, Germany, and the United States. This includes a recent incident involving Prospect Medical Holdings, a California-based healthcare system, that occurred in early August (although the group behind the attack has yet to be named as of writing).ĭata from Trend Micro™ Smart Protection Network™ (SPN) shows a similar trend, where detections from May to August 2023 show that its operators are targeting multiple industries rather than focusing on just a single sector. The healthcare industry has seen an increasing number of ransomware attacks over the past five years. Who are Rhysida’s targets?Īs mentioned earlier, Rhysida, which was previously known for targeting the education, government, manufacturing, and tech industries, among others - has begun conducting attacks on healthcare and public health organizations. In fact, the group’s first appearance involved the use of a victim chat support portal. According to the HC3 alert, Rhysida poses itself as a “cybersecurity team” that offers to assist victims in finding security weaknesses within their networks and system. ![]() Not much is currently known about the threat actors behind Rhysida in terms of origin or affiliations. In this blog entry, we will provide details on Rhysida, including its targets and what we know about its infection chain. ![]() On August 4, 2023, the HHS’ Health Sector Cybersecurity Coordination Center (HC3) released a security alert about a relatively new ransomware called Rhysida (detected as ), which has been active since May 2023. EDT: We updated the entry to include Trend XDR workbench alerts for Rhysida and its components. EDT: We updated the entry to include an analysis of current Rhysida ransomware samples’ encryption routine. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |