Outmaneuvering Rhysida: How Advanced Threat Intelligence Shields Critical Infrastructure from Ransomware
Summary
Rhysida ransomware, first active in early 2023, employs multi-tiered infrastructure and CleanUpLoader for post-exploitation activities. UsingRecorded Future's Network Intelligence, Insikt Group identified Rhysida victims an average of 30 days before they appeared on public extortion sites, offering a critical window to prevent ransomware deployment and mitigate damage. The infrastructure includes typosquatted domains, SEO poisoning, and C2 infrastructure for post-exfiltration activities. CleanUpLoader, commonly disguised as a software installer, aids Rhysida in data exfiltration and persistence. Notably, Rhysida targets sectors like healthcare and education, and focuses on both Windows and Linux-based systems.
Rhysida Ransomware Crawls into Systems with CleanUpLoader
Sophisticated ransomware groups such as Rhysida are significantly impacting organizations globally. This group has been active since January 2023 and has continuously evolved its tactics. Leveraging CleanUpLoader for post-exploitation, Rhysida has been observed crawling into systems, with the ultimate objective of causing significant damage.
In this detailed analysis, we will delve into how Rhysida uses its multi-tiered infrastructure and CleanUpLoader to execute ransomware attacks and how Recorded Future’s Network Intelligence has proven crucial in early detection.
Rhysida’s Attack Strategy
Like many modern ransomware groups, Rhysida uses a multi-tiered infrastructure to carry out its attacks. Insikt Group’s latest analysis, supported by Recorded Future’s Network Intelligence, reveals how Rhysida uses its infrastructure to execute the early phases of the attack.
By creating typosquatted domains resembling popular software download sites, Rhysida tricks users into downloading infected files. This technique is particularly effective when coupled with SEO poisoning, in which these domains are ranked higher in search engine results, making them appear as legitimate download sources. Once a user clicks on one of these malicious domains, they are redirected to a payload server hosting CleanUpLoader, which is then used by the attacker during the post-exploitation phase.
CleanUpLoader
CleanUpLoader is a versatile backdoor malware used by Rhysida in its attack campaigns. This malware was primarily seen delivered as fake installers for popular software, such as Microsoft Teams and Google Chrome, making it more likely that targets unknowingly install it. CleanUpLoader not only facilitates persistence but also enables Rhysida actors to exfiltrate valuable data before ransomware deployment.
With multiple C2 domains built into its configuration, CleanUpLoader ensures redundancy, allowing it to maintain operations even if one C2 server is taken offline. The backdoor communicates with its command-and-control (C2) servers via HTTPS.
Rhysida’s Victim Profile
Rhysida’s ransomware operations are global and affect a wide range of sectors, with the government and public sector being prime targets. These sectors have been particularly vulnerable due to their highly sensitive data and often insufficient security measures.
High-profile breaches include the attack on King Edward VII’s Hospital in London in 2023, where Rhysida claimed to have stolen sensitive information from hospital staff and patients, including members of the British royal family. Additionally, attacks on the Chilean Army and the City of Columbus demonstrate Rhysida’s ability to infiltrate critical public sector infrastructures.
One of the group's distinguishing traits is its willingness to attack sectors that were previously off-limits for ransomware groups, including schools and hospitals. This represents a significant shift in ransomware ethics, signaling a more ruthless approach from modern threat actors.
Recorded Future’s Early Detection
Recorded Future’s Network Intelligence's early detection capabilities have proven to be a game-changer in combating ransomware. Insikt Group identified that Rhysida victims could be detected on average 30 days before appearing on public extortion sites. Monitoring Rhysida’s infrastructure, including typosquatting domains and CleanUpLoader C2 servers, made this detection possible.
The average dwell time between initial infection and ransomware deployment offers defenders a critical window to respond. By identifying network communications and otherindicators of compromise (IoCs) early, security teams can act swiftly to neutralize threats before the attackers can encrypt data or issue ransom demands.
Proactive Defense: Key Takeaways
Given the sophistication of Rhysida’s operations, defending against such ransomware requires a proactive and intelligence-driven approach. Recorded Future's Network Intelligence offers visibility into ransomware groups’ infrastructure, providing defenders with crucial insights into their tools, tactics, and procedures.
Here are key defensive strategies against Rhysida:
Advanced threat detection: Use early indicators of compromise and detection rules for custom file scanning and detection in logs to identify and respond to threats.
Network Intelligence: Leverage Recorded Future Network Intelligence for early exfiltration detection, preventing ransomware escalation, using proactive infrastructure discovery by Insikt Group and extensive network traffic analysis.
User Training: Educate employees around malicious downloads, as these remain primary methods of infection. Patch Management: Ensure all systems are updated with the latest security patches to prevent exploits of known vulnerabilities.
Backups: Regularly back up critical data and ensure those backups are stored securely, preferably offline, to mitigate the impact of ransomware.
Outlook
Rhysida ransomware presents a significant threat across industries, with its use of CleanUpLoader making its operations highly effective and difficult to detect. However, with early detection methods such as those provided by Recorded Future’s Network Intelligence, security teams can gain a crucial advantage, identifying victims well before ransomware deployment.
As ransomware threats continue to evolve, proactive monitoring of adversary infrastructure and the use of comprehensive intelligence solutions are essential in protecting organizations from devastating attacks. By understanding Rhysida’s tactics, security teams can implement more effective defensive strategies to mitigate the impact of this and other advanced ransomware families.
To read the entire analysis, click here to download the report as a PDF.
Related