Rhysida Ransomware Group Profile

Rhysida is a ransomware group that emerged in 2023. The group operates as a Ransomware-as-a-Service (RaaS) operation, employing double extortion tactics to force victims to pay ransoms.

Overview

First Known Activity

Rhysida's first known activity dates back to January 2023, although the group was not publicly observed until May 2023. The group made headlines at the end of May 2023 when they successfully deployed their ransomware against systems associated with the Chilean Army.

Primary Targets

Rhysida targets a wide range of industries and organizations across multiple countries:

• Sectors: Education, government, healthcare, manufacturing, and technology industries.
• Geographic Focus: Active in at least 25 countries, with a major presence in North America, Europe, and Australia.

Notable Targets:

• United States (primary target)
• Italy
• Spain
• United Kingdom

Known Affiliations

While Rhysida operates as an independent group, there are strong indications of connections to other ransomware operations:

• Vice Society: Multiple researchers have noted significant similarities between Rhysida and Vice Society in terms of tactics, techniques, and procedures (TTPs).
• The emergence of Rhysida coincided with a decline in Vice Society activities, with Vice Society's last reported attacks occurring between July and October 2022.
• Some analysts speculate that Rhysida may be a rebranding or evolution of Vice Society, though this has not been definitively confirmed.

Technical Details

Ransomware Family/Variants

Rhysida is the primary ransomware strain used by this group. It operates as a Ransomware-as-a-Service (RaaS) model. The ransomware is known to have both Windows and Linux versions

Infection Vectors

Rhysida primarily spreads through the following methods:

• Phishing Attacks: The most common initial access vector.
• Exploitation of Unpatched Vulnerabilities: Targeting network infrastructure such as web servers and email servers.
• Remote Desktop Protocol (RDP) Attacks: Using compromised credentials or brute-force attacks against unpatched systems.

Encryption Methods

Rhysida employs a complex encryption process:

• Hybrid Encryption: Uses a combination of RSA and ChaCha20 algorithms.
• RSA Key: Utilizes a 4096-bit RSA key for encryption.
• AES-CTR: Employs AES in counter mode for file encryption.
• LibTomCrypt: Uses this open-source cryptographic library for its encryption routine.
• File Extension: Appends .rhysida to encrypted files.

Payload Features

Rhysida ransomware includes several additional features:

Operational Characteristics

Ransom Demand Range

Rhysida typically demands large sums of money, with ransom amounts varying based on the target:

• Port of Seattle: 100 bitcoins (approximately $5.8 million)
• Montreal North: 10 bitcoins (approximately $1.64 million)
• British Library: Less than $1 million

The group has shown willingness to negotiate ransom amounts in some cases.

Payment Methods

Rhysida exclusively accepts payments in Bitcoin (BTC). The group provides information on purchasing and using Bitcoin on their victim portal.

Tactics, Techniques, and Procedures (TTPs)

Rhysida employs a wide range of TTPs, including:

Communications

Rhysida uses several methods for victim communication:

• ‍TOR-Based Portal: Victims are instructed to contact the attackers via a Tor-based portal using a unique identifier provided in the ransom note.‍
• Ransom Note: A PDF file named "CriticalBreachDetected.pdf" containing ransom instructions is dropped on the victim's system.‍
• Dark Web Leak Site: Rhysida operates a data leak site on the dark web for ransom negotiations and exposing stolen data.‍
• Email: Some variants include email addresses as an alternative means of contact.‍
• Desktop Wallpaper: In some cases, the ransomware replaces the desktop background with the ransom message.

Recent Activity

Real-Case Examples:

• Port of Seattle (August 24, 2024): Rhysida attacked the Port of Seattle, severely affecting critical systems at Seattle-Tacoma International Airport. The attack disrupted bag checking, check-in services, flight information displays, and phone systems. The Port refused to pay the ransom, potentially leading to data leaks.
• City of Columbus, OH (August 2024): Rhysida stole 3TB of data from the City of Columbus, including sensitive employee records. After the city refused to pay the ransom, all the data was dumped onto the dark web.
• Sumter County, FL Sheriff's Office (August 2024): Rhysida breached the Sheriff's Office systems, potentially compromising 150,000 citizens' data, including passports and SSNs. They demanded a payment of 7 bitcoin (worth almost half a million dollars).
• Unimed Vales do Taquari e Rio Pardo (May 2024): This Brazilian healthcare provider was given seven days to pay before Rhysida threatened to publish the stolen data.

Trends:

• Increased Activity: Rhysida's activity peaked in November 2023 and has since shown some decline. However, they remain highly active, with 91 victims posted on their leak site as of May 2024.
• Targeting Critical Infrastructure: Rhysida has shown a tendency to target critical infrastructure, as evidenced by the Port of Seattle attack.
• Diverse Sector Targeting: While initially known for targeting education, government, manufacturing, and tech industries, Rhysida has expanded its focus to include healthcare and public health organizations.
• Global Reach: Rhysida's victims span multiple countries, with significant activity in the United States, Middle East, Latin America, and Europe.
• Refusal to Pay: Some high-profile victims, like the Port of Seattle, have refused to pay ransoms, potentially leading to more data leaks.
• Advanced Tactics: Rhysida has evolved from seemingly novice malware to more sophisticated operations, including the use of malvertising and SEO poisoning techniques.
• Early Detection Potential: Research has shown that with advanced threat intelligence, potential Rhysida victims can be identified up to 30 days before they appear on the extortion site, offering a critical window for prevention and mitigation.

External References

References

• CISA, FBI, and MS-ISAC Joint Advisory: "#StopRansomware: Rhysida Ransomware"
• Health Sector Cybersecurity Coordination Center (HC3) Alert on Rhysida
• Recorded Future Report: "Outmaneuvering Rhysida: How Advanced Threat Intelligence Shields Critical Infrastructure from Ransomware"
• Trend Micro Analysis: "Ransomware Spotlight: Rhysida"
• FortiGuard Labs Threat Research: "Investigating the New Rhysida Ransomware"

Related CVEs

• CVE-2020-1472 (Zerologon): Critical vulnerability in Microsoft's Netlogon Remote Protocol, exploited by Rhysida for initial access and privilege escalation.

Additional Resources

• Rhysida Ransomware Profile by SentinelOne
• Picus Security Blog: "Rhysida Ransomware Explained: Tactics, Techniques, and Procedures"
• Cynet Blog: "Rhysida: the ransomware gang strikes again"
• Vectra AI Threat Actor Profile: Rhysida
• SOCRadar Threat Profile: Rhysida Ransomware
• Critical Start Blog: "Exploring Rhysida Ransomware - A Deeper Understanding of the New Cyber Menace"
• eSentire Blog: "Rhysida Ransomware Group Targets Hospitals, Power Plants"

‍

‍