Ransomware Roundup - Rhysida

On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.

This edition of the Ransomware Roundup covers the Rhysida ransomware.

Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Encrypts and exfiltrates victims’ files and demands ransom for file decryption
Severity level: High

Rhysida Ransomware Overview

Rhysida ransomware is a new ransomware group that uses a Ransomware-as-a-Service (RaaS) model consisting of developers who create and provide ransomware, the infrastructure needed to operate it, and affiliates who execute attacks against victims. Its first ransomware sample was submitted to a public file scanning service in May 2023.

On August 4, 2023, the Health Sector Cybersecurity Coordination Center (HC3) released a sector alert for the Rhysida ransomware.

Infection Vector

According to the HC3 alert, Rhysida threat actors rely on phishing attacks as an infection vector. The attackers also reportedly use Cobalt Strike for lateral movement within the victim's network and to deliver payloads. Cobalt Strike is advertised as an adversary emulation tool for information security professionals to evaluate network and system defenses. However, cybercriminals often abuse it to compromise networks and create persistent communication channels between the attacker and the victim.

Victimology

The leak site used by the Rhysida group to auction and expose victim data currently lists 41 victims. While Rhysida has hit organizations around the globe, more than 50% of affected organizations are located in Europe, with North America a distant second. Organizations in Asia Pacific (APAC), Latin America, the Middle East, and Africa were also affected. The education sector accounts for more than 30% of its victims—with one exception, all of the affected organizations in the education sector are located in Europe and North America—followed by manufacturing, government, and IT.

According to information on the data leak site, the largest amount of data (1.6 TB) was stolen from a European government agency.

Ransomware Execution

After compromising the victim’s network, Rhysidia likely deploys Cobalt Strike to move laterally across the network and function as its command and control center. The ransomware finds and encrypts data using the ChaCha algorithm, adding a “.rhysida” extension to the affected files.

Rhysida ransomware avoids encrypting files that have the following file extensions:

• .bat
• .bin
• .cab
• .cmd
• .com
• .cur
• .diagcab
• .diagcfg
• .diagpkg
• .dll
• .drv
• .exe
• .hlp
• .hta
• .ico
• .ini
• .ini
• .iso
• .lnk
• .msi
• .ocx
• .ps1
• .psm1
• .scr
• .sys
• .Thumbs.db
• .url

It also avoids encrypting files in the following folders:

• ApzData
• Boot
• Documents and Settings
• PerfLogs
• Program Files
• Program Files (x86)
• ProgramData
• Recovery
• System Volume Information
• Windows
• $Recycle.Bin

One of the earlier Rhysida ransomware samples (SHA2: a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6) drops a ransom note in PDF titled “CriticalBreachDetected.pdf.” The ransom note has Rhysida’s TOR site address, which victims are asked to visit to contact the attacker. The sample claims to have been created on May 15, 2023.

The attacker appears to have created a new variant (SHA2: 258ddd78655ac0587f64d7146e52549115b67465302c0cbd15a0cba746f05595) on May 17 that drops a ransom note with the same title. However, the threat actor has also included a couple of email addresses as an alternative means of contact, probably in case victims are unfamiliar with TOR.

One of the Rhysida samples we examined replaced the desktop wallpaper with the same ransom message as the dropped PDF file.

Even though our analysis revealed minor differences such as those mentioned above, all of the Rhysida ransomware samples that FortiGuard Labs have collected are marked as version 0.1.

The Rhysida group also operates a data leak site on TOR for ransom negotiations and exposing data stolen from the victims. At the time of our investigation, the most recent victim was a US organization in the education sector. The threat actor had demanded a ransom of 10 Bitcoins (as of August 22, 2023, one Bitcoin is worth approximately $26,000 US). However, as shown in Figure 7, the threat actor may be willing to negotiate a ransom if the counteroffer is not insultingly low.

The leaks site displays stolen data in a file tree format and provides a search function.

Fortinet Protections

Fortinet customers are already protected from these malware variants through AntiVirus and FortiEDR services, as follows:

FortiGuard Labs detects the Rhysida ransomware samples with the following AV signature:

• W32/Rhysida.B437!tr.ransom
• W32/Filecoder_Rhysida.A!tr.ransom
• W64/Filecoder.IN!tr.ransom

The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Fortinet EPP customers running current AntiVirus updates are also protected.

IOCs

File-based IOCs:

FortiGuard Labs Guidance

Due to the ease of disruption, damage to daily operations, potential impact on an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date.

Since the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:

The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.

Our FREE NSE training: NSE 1 – Information Security Awareness includes a module on internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks and can be easily added to internal training programs.

Organizations will need to make foundational changes to the frequency, location, and security of their data backups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a successful ransomware attack.

As part of the industry's leading fully integrated Security Fabric, delivering native synergy and automation across your security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.

Best Practices Include Not Paying a Ransom

Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because the payment does not guarantee that files will be recovered. According to a US Department of Treasury's Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).

How Fortinet Can Help

FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. Our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).