Rhysida Ransomware Report
2024.11.22
✅ Report Title:
Rhysida Ransomware Report
✅ Executive Summary:
The Rhysida ransomware was first discovered in May 2023 by the overseas security research team, MalwareHunterTeam, and gained attention in June when documents related to the Chilean Army were leaked on its site. Subsequently, as attacks targeting hospitals and the healthcare sector in the United States continued, the U.S. Department of Health and Human Services (HHS) designated the Rhysida ransomware group as a significant threat to the healthcare sector and issued a report.
Recent issues include:
- (2024-10-09): Recorded Future revealed new attack techniques by Rhysida.
- (2023-12-21): KISA released a Rhysida ransomware decryption tool.
- (2023-08-04): U.S. HHS published a report on Rhysida ransomware.
- (2023-06-15): Chilean Army data leaked on Rhysida's leak site.
- (2023-05-17): First discovery of Rhysida ransomware.
The update history includes:
- (2024-11-07): Updated information based on Recorded Future's disclosures.
- (2023-01-02): Issue updates related to the decryption tool developed by KISA.
- (2023-12-12): TTPs (Tactics, Techniques, and Procedures) updates.
- (2023-08-11): Quick overview of Rhysida.
📌 What is the key features of Rhysida ransomware?
- On May 26, 2023, an attack was revealed to have been carried out by a Rhysida ransomware operator who was an insider at the Chilean Army. As a result, 30% of the Chilean Army’s network documents—totaling 360,000 files—were stolen and leaked.
- Unlike the LockBit ransomware group, which applies its own ethical standards in selecting targets, Rhysida does not consider ethical factors in its attacks. For example, they targeted a U.S.-based funeral service website and launched an attack on Prospect Medical Holdings, impacting 17 hospitals and 166 clinics across the United States.
- Check Point and Prodaft have suggested a connection between the Rhysida ransomware group and the Vice Society ransomware group:
- When the Rhysida group emerged in May 2023, Vice Society ransomware activity decreased.
- Analyzing the industries targeted by the two groups revealed significant overlap, with education being a key target sector for both.
- Their TTPs (Tactics, Techniques, and Procedures) are strikingly similar:
- Using NTDS to create a backup of NTDS.dit in a folder named temp_l0gs.
- Employing the SystemBC botnet and creating a new local firewall rule under the name "Windows Update" using New-NetFirewallRule.
- Changing domain account passwords before deploying ransomware payloads internally.
- Analysis of Rhysida's infrastructure revealed evidence of prior use by the Vice Society, along with the discovery of a Portstarter backdoor sample.
- According to Recorded Future, Rhysida uses typosquatting and SEO poisoning techniques to disguise itself as legitimate software download sites, distributing the CleanUpLoader malware.
✅ Recommended Threat Detection and Mitigation Actions:
For specific analysis and actionable countermeasures, please refer to the link below.
🧑💻 Report Author: S2W TALON (Updated. 2024-11-07)
👉 Contact us: https://s2w.inc/en/contact
News Highlights
DDW Weekly Highlights in November W2
2024.11.21
Previous
Threat Intelligence Reports
Introduction to the North Korea-backed Scarcruft ROKRAT Malware Cluster
2024.11.28
Next