Rewterz Threat Alert – Rhysida Ransomware – Active IOCs

Severity

High

Analysis Summary

Rhysida ransomware has emerged as a significant threat to organizations across various industries, employing deceptive tactics to infiltrate networks and execute its ransomware attacks. Beginning its nefarious activities as early as March 2023, Rhysida masquerades as a cybersecurity ally offering assistance to identify security vulnerabilities within victim networks. However, this facade quickly gives way to malicious intent as the group resorts to double extortion tactics, leveraging both encryption of data and the threat of exposing sensitive information to coerce victims into paying ransom demands in Bitcoin.

Operating with a clear focus on financial gain, Rhysida’s modus operandi involves utilizing phishing attacks for initial access, followed by the deployment of tools like Cobalt Strike for lateral movement across infected machines. Notably, the group has demonstrated adaptability as evidenced by the incorporation of PowerShell variants and the use of tools like PsExec to terminate antivirus programs enhancing the effectiveness of its attacks.

As Rhysida ransomware continues to evolve, its threat extends into critical sectors such as healthcare as highlighted by alerts issued by organizations like the Health Sector Cybersecurity Coordination Center (HC3) and the Cybersecurity and Infrastructure Security Agency (CISA). These alerts underscore the group’s aggressive targeting of healthcare providers and hospitals, emphasizing the urgent need for enhanced cybersecurity measures within these sectors.

Moreover, the collaboration between different cybersecurity entities reveals a concerning trend of overlap in tactics, techniques, and procedures (TTPs) between Rhysida and other ransomware groups like Vice Society. This convergence further amplifies the threat landscape, necessitating proactive measures and heightened vigilance from organizations to defend against evolving ransomware threats and mitigate potential impacts on critical infrastructure and sensitive data.

Ransom note:

Impact

• Financial Loss
• Sensitive Data Theft
• File Encryption

Indicators of Compromise

MD5

• 0c8e88877383ccd23a755f429006b437
• 1e256229b58061860be8dbf0dc4fe67e
• 59a9ca795b59161f767b94fc2dece71a
• 7dd4de113a97c638518f01760ff4f03c
• 32feec1f356e761c87e96c9ed11d6943
• a4cecd37605481ec71cf1f94ff8f131b

SHA-256

• a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6
• d5c2f87033a5baeeb1b5b681f2c4a156ff1c05ccd1bfdaf6eae019fc4d5320ee
• 250e81eeb4df4649ccb13e271ae3f80d44995b2f8ffca7a2c5e1c738546c2ab1
• 2c5d3fea7ad3c9c49e9c1a154370229c86c48fbaf7044213fd85d31efcebf7f6
• 7ae426972da219fba2bb0a23b1f43d394a499da4c744a00eca80062aeba81de2
• 35242021013c58d185decee8288f897349b02ee4596c3bb2e686de5799b4dfc8

SHA-1

• 69b3d913a3967153d1e91ba1a31ebed839b297ed
• 338d4f4ec714359d589918cee1adad12ef231907
• b07f6a5f61834a57304ad4d885bd37d8e1badba8
• 39649fa040a3c6894758016a65afec7b6acd4017
• df96143540d36edf1b9d9d25d91778855cafa8a6
• a1034cdc499b4c551e43bc259d10928d75293214

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Regularly back up critical data and systems. In the event of a successful attack or compromise, having recent backups can help you restore operations and minimize data loss.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.