- Security News
- Ransomware Spotlight
- Ransomware Spotlight: Rhysida
This section discusses Trend Micro™ Smart Protection Network™ data on Rhysida’s attempts to compromise organizations. Although Rhysida activity was first spotted in May 2023, these detections were collected from January 2023 to January 2024 and pertain only to Trend customers. In this period, Rhysida attack attempts climbed steadily, peaking in December 2023 before a steep decline the following month.
Jordan topped the list of Rhysida attack detections at 24.5%, with the United States and Indonesia following at 16% and 11.7%, respectively. Taiwan and Singapore rounded up the top five countries targeted by Rhysida over this period of activity.
Based on feedback from Trend customers who specified their industries, the cybercriminals behind the Rhysida ransomware set their sights on many healthcare organizations, with these attack attempts composing 4.8% of total detections. Rhysida also targeted enterprises in the manufacturing and finance industries.
This section examines data observed on the Rhysida ransomware's leak site from June 7, 2023 to Jan. 13, 2024. Based on Trend’s open-source intelligence (OSINT) research and our investigation of the leak site within this period, the Rhysida ransomware compromised a total of 71 organizations that refused to pay the ransom demand as of this writing.
European organizations made up the lion's share of victims identified in Rhysida’s leak site at 46.5%, followed by 23.9% of organizations that were operating from North America. Those in the Middle East were also at the receiving end of Rhysida attacks at 9.9%.
Figure 4. The distribution by region of Rhysida ransomware’s victim organizations (June 7, 2023 – Jan. 13, 2024)
Sources: Rhysida ransomware’s leak site and Trend’s OSINT research
However, the United States topped the list of countries targeted by Rhysida attacks, composing 22.5% of the victim organizations. Those from the United Kingdom accounted for 14.1% of Rhysida victims, while organizations based in Italy made up 9.9%.
Figure 5. The distribution by country of Rhysida ransomware’s victim organizations (June 7, 2023 – Jan. 13, 2024)
Sources: Rhysida ransomware’s leak site and Trend’s OSINT research
According to the leak site data, the academe was the most heavily targeted industry by Rhysida ransomware attacks at 35.2%. Healthcare organizations and the government sector were also affected, at 12.7% and 11.3%, respectively.
Figure 6. The distribution by industry of Rhysida ransomware’s victim organizations (June 7, 2023 – Jan. 13, 2024)
Sources: Rhysida ransomware’s leak site and Trend’s OSINT research
Rhysida focused primarily on small-sized businesses that had one to 200 employees and which composed more than half of the targeted organizations at 53.5%. Mid-sized businesses were a distant second at 21.1%, with enterprises trailing behind at 14.1%.
Figure 7. The distribution by organization size of Rhysida ransomware’s victim organizations (June 7, 2023 – Jan. 13, 2024)
Sources: Rhysida ransomware’s leak site and Trend’s OSINT research
The Windows version avoids encrypting directories with these strings in their file path:
The Linux version avoids encrypting directories with these strings in their file path:
The Linux version avoids encrypting this file:
The Windows version avoids encrypting files with the following extensions:
The Linux version avoids encrypting files with the following extensions:
Figure 9. Rhysida ransomware’s ransom note
Persistence | Defense Evasion | Discovery | Impact |
---|---|---|---|
T1053.005 - Scheduled Task/Job: Scheduled Task | T1070.004 - Indicator Removal: File Deletion T1222.002 - File and Directory Permissions Modification: It uses chmod to modify permissions of files it modifies to display the ransom note. | T1083 - File and Directory Discovery T1082 - System Information Discovery | T1486 - Data Encrypted for Impact T1490 - Inhibit System Recovery T1491.001 - Internal Defacement |
Trend Vision One customers can use the following hunting query to search for Rhysida ransomware within their system:
processCmd:"powershell.exe*\\*$\?.ps1" OR (objectFilePath:"?:*\\??\\psexec.exe" AND
processCmd:"*cmd.exe*\\??\\??.bat")
Initial Access | Lateral Movement | Defense Evasion | Impact |
---|---|---|---|
|
|
|
|
| |||
|
Although the Rhysida ransomware has kept a low profile so far, its ties to other ransomware groups and the ruse with which it lures in victims only stress the importance of staying vigilant in the face of insidious cyberattacks. The evolution of ransomware threats like Rhysida is a clarion call for organizations to bolster their security posture and develop a solid defense strategy. We list security best practices that businesses can adopt to better protect themselves and their data from the risk of Rhysida ransomware infection here:
A multilayered approach can help organizations guard possible entry points into the system (endpoint, email, web, and network). Security solutions that can detect malicious components and suspicious behavior can also help protect enterprises.
The IOCs for the threat discussed in this article can be found here. Actual indicators might vary per attack.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.