The Rhysida ransomware strain was first brought to wider public attention when it was used in an attack on the Chilean Army in May 2023. Since then, Rhysida operators have claimed they have at least 50 victims worldwide on its data leak website.
Now, law enforcement agencies and security firm Fortinet have released reports to help inform network defenders about the ransomware's attack chain and to help prevent further infections.
According to Fortinet researchers, Rhysida infections tend to follow a similar pattern, which can be summarized as follows:
- Rhysida operators acquire credentials and access environments through victim VPN devices.
- Lateral movement through Remote Desktop Protocol (RDP) to key servers (i.e. domain controllers)
- Credential dumping using basic methods (i.e., taskmanager.exe, procdump)
- Deployment of a SOCKS-based PowerShell backdoor as a secondary access.
- Data exfiltration conducted after manual file appraisal through RDP or AnyDesk
- Impact delivered through ransomware deployed to ESXi hypervisors first to maximize impact
Fortinet's report goes into much greater detail as to how each of the above steps is completed; such fine and technical detail is beyond the scope of this article.
What is of interest, however, is the sophistication of Rhysidia's tool set used in attacks observed by Fortinet. While researchers discovered that Rhysida operators had sophisticated tools at their disposal, many of the infections were carried out using common tactics used by other ransomware families.
While the threat actor may have had more sophisticated TTPs within their repertoire, in this case, they were able to achieve their outcomes using exclusively unsophisticated, known TTPs. As ransomware and extortion-based attacks continue to affect thousands of victims like this one across the globe every day, organizations should focus on ensuring they can detect more of the basic TTPs employed throughout this intrusion.
A joint cybersecurity advisory published by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) also covers the tactics and techniques used by Rhysida operators.
Much of what was covered by Fortinet is repeated in the advisory, but for the purposes of this article, the information shared related to the encryption method is interesting.
Rhysida's encryption module uses a 4096-bit RSA encryption key with a ChaCha20 algorithm. Registry modification commands are not obfuscated, displayed as plain-text strings, and executed via cmd.exe; this is because, by this stage of the attack, obfuscation of code is unnecessary, as the speed of encryption is a more critical requirement.
Rhysida's encryptor runs a file to encrypt and modify all encrypted files to display a .rhysida extension. Following encryption, a PowerShell command deletes the binary from the network using a hidden command window.
Researchers noted that after the lines of binary strings complete their tasks, they delete themselves through the control panel to evade detection.
Scattered Spider also under the Microscope
It is not only Rhysida that has been receiving attention from law enforcement. In a joint advisory issued by the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA), the gang's tactics have been released to the public in the hope that networks can be better defended.
The group's tactics and techniques read like the index of a cyber crime textbook, with the group being able to successfully carry out the following types of attacks designed to gain initial access to corporate networks: phishing, push bombing, and subscriber identity module (SIM) swap attacks, to obtain credentials, install remote access tools, and bypass multifactor authentication (MFA).
The bypassing of MFA and SIM Swapping attacks is of particular interest. Agency representatives stated,
In most instances, Scattered Spider threat actors conduct SIM swapping attacks against users that respond to the phishing/smishing attempt. The threat actors then work to identify the personally identifiable information (PII) of the most valuable users that succumbed to the phishing/smishing, obtaining answers to those users' security questions. After identifying usernames, passwords, PII, and conducting SIM swaps, the threat actors then use social engineering techniques to convince IT help desk personnel to reset passwords and/or MFA tokens to perform account takeovers against the users in single sign-on (SSO) environments.
It has been seen in the past that Scattered Spider threat actors will register their own MFA codes to assist in threat actors persisting on the now compromised network once initial access is gained. By controlling MFA codes and single sign-on instances, threat actors will move to gain privileged access.
Once privileged access is secured, threat actors leverage common endpoint detection and response (EDR) tools installed on the victim networks to take advantage of the tools' remote-shell capabilities and execute commands, which elevates their access even further.
Scattered Spider will then move to exfiltrate stolen data for extortion purposes, which has been done by using Amazon Web Services to create EC2 instances where data is sent. This allows for the effective exfiltration by the threat actors. At this point, it has been reported that threat actors will deploy ransomware onto the compromised network.