An Overview of the New Rhysida Ransomware Targeting the Healthcare Sector
Ransomware
In this blog entry, we will provide details on Rhysida, including its targets and what we know about its infection chain.
On August 4, 2023, the HHS’ Health Sector Cybersecurity Coordination Center (HC3) released a security alert about a relatively new ransomware called Rhysida (detected as Ransom.PS1.RHYSIDA.SM), which has been active since May 2023. In this blog entry, we will provide details on Rhysida, including its targets and what we know about its infection chain.
Not much is currently known about the threat actors behind Rhysida in terms of origin or affiliations. According to the HC3 alert, Rhysida poses itself as a “cybersecurity team” that offers to assist victims in finding security weaknesses within their networks and system. In fact, the group’s first appearance involved the use of a victim chat support portal.
As mentioned earlier, Rhysida, which was previously known for targeting the education, government, manufacturing, and tech industries, among others — has begun conducting attacks on healthcare and public health organizations. The healthcare industry has seen an increasing number of ransomware attacks over the past five years. This includes a recent incident involving Prospect Medical Holdings, a California-based healthcare system, that occurred in early August (although the group behind the attack has yet to be named as of writing).
Data from Trend Micro™ Smart Protection Network™ (SPN) shows a similar trend, where detections from May to August 2023 show that its operators are targeting multiple industries rather than focusing on just a single sector.
The threat actor also targets organizations around the world, with SPN data showing several countries where Rhysida binaries were detected, including Indonesia, Germany, and the United States.
How does a Rhysida attack proceed?
Rhysida ransomware usually arrives on a victim’s machine via phishing lures, after which Cobalt Strike is used for lateral movement within the system.
Additionally, our telemetry shows that the threat actors execute PsExec to deploy PowerShell scripts and the Rhysida ransomware payload itself. The PowerShell script (g.ps1), detected as Trojan.PS1.SILENTKILL.A, is used by the threat actors to terminate antivirus-related processes and services, delete shadow copies, modify remote desktop protocol (RDP) configurations, and change the active directory (AD) password.
Interestingly, it appears that the script (g.ps1) was updated by the threat actors during execution, eventually leading us to a PowerShell version of the Rhysida ransomware.
Rhysida ransomware employs a 4096-bit RSA key and ChaCha20 for file encryption. After successful encryption, it appends the .rhysida extension and drops the ransom note CriticalBreachDetected.pdf.
This ransom note is fairly unusual — instead of an outright ransom demand as seen in most ransom notes from other ransomware families, the Rhysida ransom note is presented as an alert from the Rhysida “cybersecurity team” notifying victims that their system has been compromised and their files encrypted. The ransom demand comes in the form of a “unique key” designed to restore encrypted files, which must be paid for by the victim.
Summary of malware and tools used by Rhysida
- Malware: RHYSIDA, SILENTKILL, Cobalt Strike
- Tools: PsExec
| Initial Access | Phishing | Based on external reports, Rhysida uses phishing lures for initial access |
| Lateral Movement | PsExec | Microsoft tool used for remote execution |
|---|---|---|
| Cobalt Strike | 3rd party tool abused for lateral movement | |
| Defense Evasion | SILENTKILL | Malware deployed to terminate AV-related processes and services, delete shadow copies, modify RDP configurations, and change the AD password |
| Impact | Rhysida ransomware | Ransomware encryption |
Table 1. A summary of the malware, tools, and exploits used by Rhysida
Although we are still in the process of fully analyzing Rhysida ransomware and its tools, tactics, and procedures (TTPs), the best practices for defending against ransomware attacks still holds true for Rhysida and other ransomware families.
Here are several recommended measures that organizations implement to safeguard their systems from ransomware attacks:
- Create an inventory of assets and data
- Review event and incident logs
- Manage hardware and software configurations.
- Grant administrative privileges and access only when relevant to an employee’s role and responsibilities.
- Enforce security configurations on network infrastructure devices like firewalls and routers.
- Establish a software whitelist permitting only legitimate applications
- Perform routine vulnerability assessments
- Apply patches or virtual patches for operating systems and applications
- Keep software and applications up to date using their latest versions
- Integrate data protection, backup, and recovery protocols
- Enable multifactor authentication (MFA) mechanisms
- Utilize sandbox analysis to intercept malicious emails
- Regularly educate and evaluate employees’ security aptitude
| SHA1 | Detection name |
| 69b3d913a3967153d1e91ba1a31ebed839b297ed | Ransom.Win64.RHYSIDA.THEBBBC |
| 338d4f4ec714359d589918cee1adad12ef231907 | Ransom.Win64.RHYSIDA.THFOHBC |
| b07f6a5f61834a57304ad4d885bd37d8e1badba8 | Ransom.Win64.RHYSIDA.SM |
| 7abc07e7f56fc27130f84d1c7935a0961bd58cb9 | TrojanSpy.Win32.INVICTASTEALER.A |
| 2543857b275ea5c6d332ab279498a5b772bd2bd4 | TrojanSpy.Win32.INVICTASTEALER.A |
| eda3a5b8ec86dd5741786ed791d43698bb92a262 | Trojan.LNK.DOWNLOADER.AA |
MITRE ATT&CK Matrix
| Initial Access | T1566 Phishing | Based on external reports, Rhysida uses phishing lures for initial access. |
| Execution | T1059.003 Command and Scripting Interpreter: Windows Command Shell | It uses cmd.exe to execute commands for execution. |
| T1059.001 Command and Scripting Interpreter: PowerShell | It uses PowerShell to create scheduled task named Rhsd pointing to the ransomware. | |
| Persistence | T1053.005 Scheduled Task/Job: Scheduled Task | When executed with the argument -S, it will create a scheduled task named Rhsd that will execute the ransomware |
| Defense Evasion | T1070.004 Indicator Removal: File Deletion | Rhysida ransomware deletes itself after execution. The scheduled task (Rhsd) created would also be deleted after execution. |
| T1070.001 Indicator Removal: Clear Windows Event Logs | It uses wevtutil.exe to clear Windows event logs. | |
| Discovery | T1083 File and Directory Discovery |
It enumerates and looks for files to encrypt in all local drives. |
| T1082 System Information Discovery |
Obtains the following information:
|
|
| Impact | T1490 Inhibit System Recovery | It executes uses vssadmin to remove volume shadow copies |
| T1486 Data Encrypted for Impact |
It uses a 4096-bit RSA key and Cha-cha20 for file encryption. It avoids encrypting files with the following strings in their file name:
It avoids encrypting files found in the following folders:
It appends the following extension to the file name of the encrypted files: It encrypts all system drives from A to Z. It drops the following ransom note:
|
|
| T1491.001 Defacement: Internal Defacement | It changes the desktop wallpaper after encryption and prevents the user from changing it back by modifying the NoChangingWallpaper registry value. |
| Trend Micro solutions | Detection Patterns / Policies / Rules |
|
|
|
|
|
PsExec
Cobalt Strike & Cobeacon
|
|
|
Trend Vision One customers can use the following hunting query to search for Rhysida within their system:
processCmd:”powershell.exe*\\*$\?.ps1″ OR (processCmd:”?:\?$\??.bat” AND objectFilePath:”?:\?$\PSEXEC.exe”)
Tags
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
Read More HERE
