Rhysida is a relatively new ransomware group operating as a R-a-a-S (Ransomware-as-a-Service) provider. The corresponding ransomware has the particularity of making use of LibTomCrypt, a cryptographic library that allows attackers to leverage on robust encryption methods and a fast development. Rhysida appears to be written in C++ and compiled via MinGW; the payloads I’ve found are quite bulky in size (± 1.20 MB) probably due to the linked libraries. As already reported, in fact, this ransomware includes open-source crypto library LibTomCrypt which is able to provide support for the implementation of various cryptographic functions and, more generally, to allow the ransomware to work through effective cryptographic methods. It is also possible that the authors of Rhysida also appreciated the fact that LibTomCrypt is written in C and therefore can be easily integrated.

Insights

Rhysida ransomware looks like a piece of malware with a rather easy logic and in some cases not very optimized in its code (in several cases some constructs are immediately repeated in the code presenting the same logical conditions). Upon its execution, the ransomware initializes several structures and acquires information about the machine it is working on.

Interestingly, the Rhysida variant under analysis seems designed to work on the basis of two parameters potentially specified at startup: directory and is_self_remove

directory (-d) is used to specify the directory to encrypt (alternatively the ransomware will encrypt all logical drives from A to Z) while is_self_remove (-sr) is used to ensure the ransomware removes itself after the encryption process is complete. To successfully perform this action, Rhysida relies on the following PowerShell command

The ransomware encrypts the files using Chacha20 and RSA 4096 to encrypt the ChaCha20 key. The construct where the cryptographic process is launched could represent a good opportunity to write a hunting rule:

rule Rhysida_Ransomware_87234_98244 {
meta:
author = "Emanuele De Lucia"
hash1 = "250e81eeb4df4649ccb13e271ae3f80d44995b2f8ffca7a2c5e1c738546c2ab1"
hash2 = "a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6"
hash3 = "d5c2f87033a5baeeb1b5b681f2c4a156ff1c05ccd1bfdaf6eae019fc4d5320ee"
tlp = "white"
score = 80
strings:
$ = { 48 8B 40 [1] 0F B6 00 84 C0 75 [1] B9 [4] E8 [4] 48 89 85 [4] C7 85 [8] EB [1] 8B 95 [4] 48 8B 85 [4] 41 89 D0 48 8D 15 [4] 48 89 C1 E8 [4] 48 8B 85 [4] 48 89 C1 E8 [4] 83 85 [5] 83 BD [5] 7E [1] 48 8B 85 [4] 48 89 C1 E8 ?? ?? ?? ?? }
condition:
any of them
}

The setBG() function is responsible to change the system wallpaper by executing a series of commands like reported following:

Finally, the following are the file type extensions that the ransomware does not encrypt:

.bat, .bin, .cab, .cmd, .com, .cur, .diagcab, .diagcfg, .diagpkg, .drv, .dll, .exe, .hlp, .hta, .ico, .lnk, .msi, .ocx, .ps1, .psm1 , .scr, .sys, .ini, .db, .url, .iso, .cab, .thumdb.

while the following shows the folders that Rhysida excludes from encryption:

\$Recycle.bin, \Documents and Settings, \PerfLogs, \Program Files, \Program Files (x86), \ProgramData, \Recovery, \System Volume Information, \Boot and \Windows.

Once the encryption is done successfully, the extension of the files changes to .rhysida.

Initial Access

Rhysida represents a relatively new threat in the ransomware landscape and for this reason, information regarding its propagation methods is rather limited; however, it is possible to hypothesize that, at least in part, the Rhysida‘s affiliates rely on IAB (Initial Access Broker) from which to buy RDP VPN accesses and then deliver the ransomware once the internal domain controller is reached. Other techniques potentially used to deliver Rhysida ransomware include password-spraying attacks, phishing and direct compromise by affiliates using known vulnerabilities and the installation of commodity malware.

Attribution and Victimology

Rhysida seems to be a totally new trend in the ransomware threat landscape. However, some aspects point to the group’s need to develop their own ransomware quickly (such as using LibTomCrypt) as well as being confident that the file encryption solution was robust enough from the outset. All this (and other aspects still under analysis) suggest that Rhysida could in fact be a rebrand of an already known cartel and not a totally new group. This option is also enhanced by the fact that the group seems to be focused on specific sectors to be targeted, such as academic educational (which could be very close to a group with already tested techniques).

Conclusions

In this post I have analyzed a new ransomware variant known as Rhysida. It is relatively new in the ransomware threat landscape. Although there is a public tendency to consider Rhysida as a totally new threat, some of its aspects (especially in the ecosystem that surrounds it) suggest a possible rebrand in progress by a group already in business. Rhysida appears to be targeting primarily academic/educational entities and analysis of its code suggests the need for rapid development as well as a sufficiently robust solution.

Indicators of Compromise

CategoryTypeValue
PAYLOADSHA256d5c2f87033a5baeeb1b5b681f2c4a156ff1c05ccd1bfdaf6eae019fc4d5320ee
PAYLOADSHA256a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6
PAYLOADSHA256250e81eeb4df4649ccb13e271ae3f80d44995b2f8ffca7a2c5e1c738546c2ab1
Tagged: //