The threat actors behind one of the ransomware's newest kids on the block Rhysida have announced they will leak documents belonging to the Chilean Army. This comes after the Army confirmed that systems were impacted in a security incident detected over the weekend on May 27, 2023.
Chilean cybersecurity firm CronUp provided further information regarding the attack and noted that the network was isolated following the breach, with military security experts starting the recovery process of affected systems around May 29, 2023.
Further, the incident has been reported to Chile's Computer Security Incident Response Team (CSIRT) of the Joint Chiefs of Staff and the Ministry of National Defense.
Only a few days later, there was to be an interesting revelation. Local media reported that an Army corporal was arrested and charged for his involvement in the ransomware attack.
As it stands, Rhysida claim to have released approximately 30% of the data stolen from the Army, which according to CronUp security researcher Germán Fernández amounts to approximately 360,000 Chilean Army documents, as reported in Bleeping Computers article.
Only a few days before the attack on the Chilean Army, Rhysida was discovered by MalwareHunterTeam. Subsequent research by Sentinel One revealed that threat actors behind the ransomware consider themselves a "cybersecurity team" who are doing their victims a favor by targeting their systems, thus highlighting the supposed potential ramifications of the involved security issues.
This is all done at a cost, of course, that being having data encrypted and dealing with subsequent extortion attempts threatening and releasing stolen data.
So not only does their service reveal security flaws, it facilitates the paying of a ransom which in itself funds crime, and the victim will have to pay further recovery costs down the line. In summary, this fallacy of being a security team is far less noble than they make it out to be.
Sentinel One researcher determined that the primary methods include Cobalt Strike, a penetration testing tool favored by malware developers for its ability to drop beacons that facilitate the dropping of ransomware on a compromised machine and through phishing campaigns.
Other deployment options remain available to the developers, including using frameworks similar to Cobalt Strike. Researchers further noted,
Analyzed samples of Rhysida ransomware indicate that the group is in the early stages of the development cycle. The payloads are missing many commodity features, such as VSS removal, that are synonymous with present-day ransomware. This said the group threatens victims with public distribution of the exfiltrated data, bringing them in line with modern-day multi-extortion groups.
When launched, Rhysida will display a cmd.exe window as it traverses all files on all local drives. Victims are instructed to contact the attackers via their TOR-based portal, utilizing their unique identifier provided in the ransom notes. Rhysida accepts payment in BTC (Bitcoin) only and provides victims with information on the purchase and use of BTC on the victim portal. Upon providing their unique ID to the payment portal, an additional form is provided allowing victims to provide more information to the attackers for authentication and contact detail purposes.
The Threat Posed from Inside Organisations
There is often a misconception that ransomware attacks are made by hackers wearing hoodies and masks and sitting in dark basements. The reality is not all attacks are facilitated by these shadowy figments of our imagination, if any.
Ransomware operations have evolved to include sophisticated networks of developers, affiliates, and those that specialize in gaining access to corporate networks, referred to as initial access brokers.
All get a piece of the pie when it comes to earnings generated from specific attacks. In this regard, initial access brokers have grown in popularity as they will have inside knowledge on how best to breach a target's defenses; this dramatically improves the chances of carrying out a successful attack where data is both exfiltrated and encrypted.
Unfortunately, often these are disgruntled employees of the victim or employees just wanting to make a quick buck. This is something ransomware admins are willing to pay top dollar for, as shown in this post by LockBit 2.0 admins on an underground hacker forum,
Would you like to earn millions of dollars? Our company acquires access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company…You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. Companies pay us the foreclosure for the decryption of files and prevention of data leak.
In the above case involving the Chilean Army, where a corporal was arrested and charged for their suspected involvement, it might be that Rhysidia developers or admins are looking for those disgruntled employees uniquely placed to take advantage of having an agent on the inside, as it were.
Other scammers, including business email compromise scams also favor such tactics. It should be noted that it is easier to bring an employee involved in such attacks to justice than the scammer, who is often in a country where extradition is difficult or impossible.