Les Bell

The threat posed by Rhysida ransomware has been steadily growing over recent months, leading the FBI, CISA and MS-ISAC (Multi-State Information Sharing and Analysis Center) to issue a cybersecurity advisory detailing the tactics and techniques used by its operators, as well as recommended mitigation techniques.

The threat actors behind Rhysida are known to target the education, healthcare, manufacturing, tech and government sectors, looking for low-hanging fruit. They also offer their tools and infrastructure in a Ransomeware-as-a-Service model in which they profit-share with those who lease them.

Whoever they are, they typically gain initial access via remote services such as VPN access points which they access using compromised valid credentials; they obtain these via phishing and other attacks from organisations which have not implemented multi-factor authentication. They have also been seen exploiting the Zerologin vulnerability in the Microsoft Netlogon Remote Protocol (which should have been patched back in August 2020 - as I say, low-hanging fruit).

Having established a beachhead on the internal network, the threat actors use living off the land techniques, employing the existing system software, such as PowerShell, the Windows ipconfig, whoami, nltest, and net user, net group and similar commands as well as RDP to pivot to other systems. However, they do install  additional tools such as PuTTY, AnyDesk and PowerView, which they use to map the network.

The Rhysida ransomware itself encrypts each file under a 256-bit key using the ChaCha20 algorithm, with the symmetric key in turn protected by 4096-bit RSA and renaming the file to add a .rhysida extension. It simultaneously exfiltrates data, allowing the operators to engage in double extortion: pay the demanded Bitcoin ransom to obtain the decryption key and also prevent the threat actors publishing sensitive exfiltrated data.

Once encryption has been completed, a PowerShell command deletes the ransomware binary and drops a victim-specific PDF file entitled "CriticalBreachDetected", containing a unique code and instructions to contact the operator via a Tor network portal and make payment. The text of the note makes a useful IoC, since it is also embedded in the ransomware binary, allowing easy detection. (I should say, "was also embedded", since it is easily obscured, e.g. by an XOR algorithm, and the operators have almost certainly done this by now).

A long list of suggested mitigations start with the obvious: deploying phishing-resistant multi-factor authentication, removing user access to PowerShell and other command-line tools, restricting the use of RDP and other remote desktop services, application allowlisting, proactive patching, etc. It also advises validation of controls using pen-testing techniques aligned with the specific MITRE ATT&CK techniques identified. The advisory also lists IoC's, and they are downloadable in STIX XML and JSON formats.

CISA, #StopRansomware: Rhysida Ransomware, cybersecurity advisory, 15 November 2023. Available online at https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a.

Upcoming Courses

• SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 November 2023
• SE221 CISSP Fast Track Review, Sydney, 4 - 8 December 2023
• SE221 CISSP Fast Track Review, Sydney, 11 - 15 March 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 May 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 17 - 21 June 2024
• SE221 CISSP Fast Track Review, Sydney, 22 - 26 July 2024

About this Blog

I produce this blog while updating the course notes for various courses. Links within a story mostly lead to further details in those course notes, and will only be accessible if you are enrolled in the corresponding course. This is a shallow ploy to encourage ongoing study by our students. However, each item ends with a link to the original source.

These blog posts are collected at https://www.lesbell.com.au/blog/index.php?user=3. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.