Rhysida Ransomware - Everything You Need to Know

What is Rhysida Ransomware?

Rhysida ransomware first showed up in the cybercrime scene in late 2022. It takes a ruthless approach by not only locking up a victim’s data but also threatening to publish it on the dark web if the ransom isn’t paid.

Although no one knows exactly where it came from, many believe it’s linked to a skilled cybercriminal group based in Eastern Europe. This group has been behind some advanced malware attacks in the past, which makes Rhysida an especially dangerous threat that’s hard to ignore.

Figure 1: Screenshot of Leak Site used by Rhysida Ransomware

Rhysida ransomware runs a website on the dark web where they post the names of victims who refuse to pay the ransom. This tactic is meant to publicly shame these organizations and put extra pressure on them to pay up.

Figure 2: Screenshot of Ransom Note used by Rhysida Ransomware

Rhysida ransomware uses a deceptive tactic in its ransom notes. Instead of directly asking for ransom, it disguises the note as a file named "CriticalBreachDetected.txt" to trick victims into thinking they can recover their encrypted data by paying a fee. However, this is a misleading ploy. Even after paying the ransom, there’s no guarantee that the data will be decrypted.

What are Tactics, Techniques, and Procedures (TTPs) of Rhysida Ransomware?

Rhysida ransomware employs a wide range of tactics, techniques, and procedures (TTPs) to infiltrate systems stealthily:

• Phishing Attacks: Sends deceptive emails that mimic legitimate business communications to trick users into clicking malicious links or downloading infected attachments.
• Exploiting Unpatched Vulnerabilities: Targets unpatched software vulnerabilities to gain unauthorized access, highlighting the need for regular updates.
• RDP Exploitation: Takes advantage of weak Remote Desktop Protocol (RDP) configurations to access systems remotely.
• Supply Chain Attacks: Compromises vendors to infiltrate a broader network of victims.
• Lateral Movement: Once inside, it spreads across the network, compromising more systems and escalating privileges.
• Data Exfiltration: Steals sensitive data before encryption to increase pressure on victims to pay the ransom.
• Strong Encryption: Utilizes powerful encryption algorithms, making it nearly impossible to recover data without the attacker's decryption key.

Rhysida actors have been known to exploit external-facing remote services, such as virtual private networks (VPNs), to gain initial access and maintain persistence within networks. They often authenticate to internal VPN access points using stolen credentials, a tactic made easier when organizations do not have multi-factor authentication (MFA) enabled. Additionally, these attackers have been observed exploiting the Zerologon vulnerability (CVE-2020-1472) in Microsoft's Netlogon Remote Protocol for privilege escalation and have also used phishing attacks to infiltrate networks.

What is the Kill Chain of Rhysida Ransomware?

Figure 3: Rhysida Ransomware Kill Chain

The table outlines Rhysida ransomware's kill chain by breaking down the tactics, techniques, and procedures (TTPs) used in their attacks. The kill chain starts with Initial Access through External Remote Services (T1133), indicating Rhysida actors gain unauthorized access via external connections like VPNs.

Indicators of Compromise (IOCs)

Next, they establish Persistence using Scheduled Tasks (T1053.005) to ensure continued access to the compromised system. To avoid detection, Rhysida employs Defence Evasion techniques, including Indicator Removal (T1070.004) by deleting files and modifying file permissions (T1222.002) to hide their activities. For Discovery, they perform File and Directory (T1083) and System Information (T1082) discovery to gather knowledge about the compromised environment.

Finally, the Impact phase involves encrypting the victim's data (T1486) to hold it for ransom, completing their attack cycle. This kill chain demonstrates Rhysida's methodical approach to infiltrating, maintaining access, and causing disruption to victim organizations.

How does Red Piranha Detect and Prevent attacks of Rhysida Ransomware?

Red Piranha’s Crystal Eye, best-in-class Threat Detection, Investigation and Response (TDIR) platform utilizes a multi-layered defence strategy to effectively detect and prevent the tactics, techniques, and procedures (TTPs) used by Rhysida Ransomware.

With enhanced threat visibility through integrated Cyber Threat Intelligence (CTI) and machine learning-driven anomaly detection, it can identify suspicious behaviour early on. Crystal Eye’s network detection and response (NDR) continuously monitors traffic, detecting potential ransomware actions such as lateral movement and data exfiltration. Additionally, the platform’s Zero Trust architecture, combined with micro-segmentation, prevents unauthorized access, limiting the spread of Rhysida within networks and reducing the attack surface.

For instance, Red Piranha’s TDIR can detect and prevent Rhysida ransomware attacks by leveraging its advanced detection and response capabilities across the entire network. With features like 10x Increased Visibility, Proactive Threat Hunting, and 24/7 Monitoring, the platform detects key Rhysida tactics like phishing, lateral movement, and RDP exploitation early.

The Zero Trust architecture limits unauthorized access, and network segmentation helps prevent the ransomware from spreading. Integrated Threat Intelligence and machine learning-driven anomaly detection enable rapid identification of malicious behaviour, while automated responses mitigate the attack before it escalates.

Rhysida’s reliance on exploiting unpatched vulnerabilities, weak remote services, and lateral movement is thwarted by Crystal Eye’s Vulnerability Management, East-West Traffic Control, and PCAP Analysis, which provide continuous monitoring, patch enforcement, and visibility into network activities.

These capabilities ensure that even advanced techniques, such as exploiting VPNs or Zerologon vulnerabilities, are addressed, preventing Rhysida from gaining a foothold or maintaining persistence within the network. Crystal Eye’s 24/7 SOC support also allows for rapid response and incident containment, reducing the overall risk of ransomware impact.

Crystal Eye’s Network Detection and Response (NDR) utilizes machine learning, advanced analytics, and rule-based detection to spot anomalies and suspicious behaviour across networks, providing protection against zero-day threats, known malware, and advanced persistent threats (APTs).

By integrating Crystal Eye’s Passive Encryption Control with Zero Trust principles, organizations can establish custom security zones to ensure proper network segmentation and access management. This approach strengthens their security posture and reduces the risk of data exfiltration through covert channels.

Crystal Eye continuously monitors network traffic, identifying any deviations from the established baseline of device encryption software. This triggers events that support Moving Target Defense strategies. In IoT/OT environments, it detects potentially malicious activity and alerts users to take action or automatically blocks the device from network communication, while still allowing the device to function.

Crystal Eye prevents Rhysida ransomware by combining automated detection, proactive security measures, and on-demand incident response, all while ensuring compliance and lowering the total cost of ownership for organizations.

Does detecting malicious activity pose a significant challenge for your organisation?

Crystal Eye, best-in-class Threat Detection, Investigation and Response (TDIR), allows you to catch what the other products in its class missed by detecting all known malware and C2 callouts.

Improve your organisation's security posture and minimise risk to your organisation with our Network Detection and Response program alongside the Managed Detection and Response (MDR) service.