What is Rhysida Ransomware?
Rhysida ransomware first showed up in the cybercrime scene in late 2022. It takes a ruthless approach by not only locking up a victim’s data but also threatening to publish it on the dark web if the ransom isn’t paid.
Although no one knows exactly where it came from, many believe it’s linked to a skilled cybercriminal group based in Eastern Europe. This group has been behind some advanced malware attacks in the past, which makes Rhysida an especially dangerous threat that’s hard to ignore.
Figure 1: Screenshot of Leak Site used by Rhysida Ransomware
Rhysida ransomware runs a website on the dark web where they post the names of victims who refuse to pay the ransom. This tactic is meant to publicly shame these organizations and put extra pressure on them to pay up.
Figure 2: Screenshot of Ransom Note used by Rhysida Ransomware
Rhysida ransomware uses a deceptive tactic in its ransom notes. Instead of directly asking for ransom, it disguises the note as a file named "CriticalBreachDetected.txt" to trick victims into thinking they can recover their encrypted data by paying a fee. However, this is a misleading ploy. Even after paying the ransom, there’s no guarantee that the data will be decrypted.
What are Tactics, Techniques, and Procedures (TTPs) of Rhysida Ransomware?
Rhysida ransomware employs a wide range of tactics, techniques, and procedures (TTPs) to infiltrate systems stealthily:
- Phishing Attacks: Sends deceptive emails that mimic legitimate business communications to trick users into clicking malicious links or downloading infected attachments.
- Exploiting Unpatched Vulnerabilities: Targets unpatched software vulnerabilities to gain unauthorized access, highlighting the need for regular updates.
- RDP Exploitation: Takes advantage of weak Remote Desktop Protocol (RDP) configurations to access systems remotely.
- Supply Chain Attacks: Compromises vendors to infiltrate a broader network of victims.
- Lateral Movement: Once inside, it spreads across the network, compromising more systems and escalating privileges.
- Data Exfiltration: Steals sensitive data before encryption to increase pressure on victims to pay the ransom.
- Strong Encryption: Utilizes powerful encryption algorithms, making it nearly impossible to recover data without the attacker's decryption key.
Rhysida actors have been known to exploit external-facing remote services, such as virtual private networks (VPNs), to gain initial access and maintain persistence within networks. They often authenticate to internal VPN access points using stolen credentials, a tactic made easier when organizations do not have multi-factor authentication (MFA) enabled. Additionally, these attackers have been observed exploiting the Zerologon vulnerability (CVE-2020-1472) in Microsoft's Netlogon Remote Protocol for privilege escalation and have also used phishing attacks to infiltrate networks.