In the ever-evolving landscape of cybersecurity threats, ransomware remains a persistent menace that continues to disrupt organizations and individuals worldwide. Recently, a new variant known as Rhysida emerged, capturing the attention of analysts and researchers alike.
In this blog post, we delve into the details of the Rhysida ransomware, its shortcomings, and its potential implications for its victims. While Rhysida exhibits novice characteristics, it still manages to wreak havoc and demands our attention. While we come together across the community in Hive-IQ to understand and defend against emerging threats, let’s explore Rhysida’s key features and discuss the lessons we can learn from this ransomware. Sharing our observations and discussing the adversary techniques is our best defense to counter threats that are targeting a diverse set of industries and organizations.
Who is Rhysida Ransomware?
Rhysida Ransomware Group is an emerging cyber actor threatening governments and critical infrastructure sectors throughout North America, South America, and Europe. The group first entered the digital landscape in May 2023 with an attack against the Government of Martinique, an overseas French collective in the Caribbean, and has since targeted over a dozen organizations.
Their list of victims, ranging from educational institutions to manufacturers to the Chilean Army, has yet to reveal the group’s motivations when selecting their targets. However, the group is primarily financially motivated. While proving effective in their first month of existence, Rhysida’s ransomware package lacks commodity features, indicating the group is novice and within the early phases of its development.
How Does Rhysida Ransomware Operate?
Rhysida Ransomware gains initial access via phishing emails, as in the case of the Chilean Army breach, leveraging information from persons who pose an insider threat. From there, Rhysida deploys its package via Cobalt Strike or similar command and control (C2) systems. Upon execution, a dialog box appears on the screen as it issues commands encrypting files on the box.
In contrast to typical ransomware behavior, the Rhysida ransomware binary drops the ransom note in the form of a PDF file named “CriticalBreachDetected.pdf.” In its note, Rhysida poses as a cyber security team. The note directs the victim to access an onion link to communicate with Rhysida and provides a key to uniquely identify the victim. Some versions of the ransom note include an onionmail.org email.
The group threatens victims with public distribution of their exfiltrated data via auction on their dark-web leak site, bringing them in line with modern-day double-extortionist groups. Rhysida requires payment in Bitcoin for the key to unlock their data. If payment is not received, Rhysida auctions the material off to “one hand.” They claim there is “no reselling, you will be the only owner.”
Rhysida ransomware initially drops a file in the “/Users/Public” directory and later changes the background screen to “bg[.]jpg.” However, this never happens due to misspelling errors in the proper directory name, “cmd[.]exe /c reg delete “HKCU\Conttol Panel\Desktop”/v Wallpaper /f.”
The binary then invokes PowerShell with a hidden window to begin encrypting the box:
00055380 cmd[.]exe /c start powershell[.]exe -WindowStyle Hidden -Command Sleep -Milliseconds 500; Remove-Item -Force -Path
00055380 cmd[.]exe /c start powershell[.]exe -WindowStyle Hidden -Command Sleep -Milliseconds 500; Remove-Item -Force -Path
The binary runs without any additional command line arguments; however, it does contain options:
-d Path of directory to encrypt -sr Self-Remove
-d Path of directory to encrypt -sr Self-Remove
The authors of the Rhysida ransomware used the LibTomCrypt open-source library to create the encryption modules in the payload. Once the ransomware encrypts files with Chacha20, the authors used RSA-4096-OAEP to encrypt the ChaCha20 keys. Before encrypting files on the box, the binary excludes the following directories:
- \$Recycle.bin
- \Documents and Settings
- \PerfLogs
- \Program Files
- \Program Files (x86)
- \ProgramData\
- \Recovery
- \System Volume Information
It also excludes the following file types or extensions: .bat, .bin, .cab, .cmd, .com, .cur, .diagcab, .diagcfg, .diagpkg, .drv, .dll, .exe, .hlp, .hta, .ico, .lnk, .msi, .ocx, .ps1, .psm1, .scr, .sys, .ini, .db, .url, .iso, and .cab.
Furthermore, the binary does not have the functionality to delete “VSS” Microsoft Volume Shadow Copies, which offer the ability to restore the system from backups.
Furthermore, the binary does not have the functionality to delete “VSS” Microsoft Volume Shadow Copies, which offer the ability to restore the system from backups.
Analysis of Rhysida
Rhysida, first identified by MalwareHunterTeam on May 17th, 2023, primarily focuses its attacks on critical infrastructure, specifically the Defense Industrial Base, Communication, Education, and Manufacturing infrastructure sectors within North American, Europe, and South America.
The group is likely testing its capabilities on targets of opportunity. Their most notable attack was on the Chilean Army, a branch of the Armed Forces of Chile. Days after the attack, the local media disclosed a Chilean Army Corporal was arrested and charged for his involvement in the ransomware attack. Rhysida may seek insider threats to gain initial access based on this arrest.
TeamWorx Security assesses Rhysida as novice and likely sources its code from other ransomware available in open-source repositories. The group likely pieces together multiple elements to create their package.
Utilizing the collaboration tools in Hive-IQ and the malware analysis tools in MATRIX, TeamWorx Security malware analysts identified faults and typos in strings that affect the operations of the ransomware. One example is with “Control Panel” when it attempts to delete the wallpaper registry setting via the Control Panel. Further analysis of Rhysida’s malware revealed the malware errors out while changing the desktop background due to a misspelled word in the commands issued:
cmd[.]exe /c reg delete “HKCU\Control Panel\Desktop” /v WallpaperStyle /f
The Rhysida Ransomware group is interested in its reputation and news about its breaches. Rhysida has a news section on its leak site which includes articles related to the group. Rhysida will reach out to local news to control the narrative of their attack.
Following their attack against Lumberton Independent School District (ISD) & Stephen F. Austin State University (SFASU) in June 2023, the Daily Sentinel in Nacogdoches, Texas, received an email from Rhysida claiming responsibility for attacks and that SFASU was lying when the university reported they “did not believe any data was compromised.” In further emails, Rhysida revealed the amount and type of information stolen:
- “We downloaded about 1.2 terabytes of data from their (SFA) network, including SQL databases,”
- “Here an attachment that proves to you that we stole data. It’s basically a press release from an international gang.”
- “The same day we attacked SFASU, we also attacked the Lumberton Independent School District. They are withholding information about the attack. We downloaded 300 gigabytes of amazing personal documents and the proof is attached.”
Rhysida ransomware group is an emerging to low threat to the United States and its critical infrastructure sectors. However, Rhysida will likely continue its attempts to sophisticate its technology, TTPs, and organization and may become a more significant threat.
The above analysis was made possible through collaboration in Hive-IQ and MATRIX. If you work for a .gov, .mil, or critical infrastructure and want to learn about these tools, contact su*****@te**************.com.
The above analysis was made possible through collaboration in Hive-IQ and MATRIX. If you work for a .gov, .mil, or critical infrastructure and want to learn about these tools, contact su*****@te**************.com.
Join the discussion and learn more about these incidents on Hive-IQ.
- Threat Profile (Hive-IQ)
- Rhysida Sample (Hive-IQ)
Alex Lothstein
Alex is an Intelligence Analyst at TeamWorx Security. He has experience in the history/museum world researching, writing, and breaking down large pieces of information on complex topics into understandable bits for a general audience. His experience analyzing the past to better understand the present is a great asset in his intelligence research and writing.
John Rolley
John Rolley is a 26-year Army Veteran. He is an innovative Cybersecurity professional with a proven successful history in the Defense industry. John has compiled a unique set of skills and experience by fulfilling multiple work roles in cyber over nine years, spanning both offensive and defensive cyber operations. During this time, he has gained the knowledge, skills, and abilities in threat hunting, incident response, malware reverse engineering, and cyberspace operations planning.