VTA-004458 – An Overview of the New Rhysida Ransomware
On August 3rd, a US healthcare company, Prospect Medical Holdings (PMH), was hit by a ransomware attack. This has led to the hospitals shutting down their networks in order to prevent the ransomware from spreading across the networks.
It was later found that a ransomware gang known as “Rhysida” was responsible for the attack on the PMH. The group has claimed to have stolen 1 TB of documents and a 1.3TB SQL database, containing 500,000 social security numbers, corporate documents, and patient records including personal information from PMH. Rhysida has threatened the company to sell their allegedly stolen data for 50 Bitcoins, which is worth around $1.3 million.
The Rhysida ransomware receives its initial access into networks through phishing, posing as a cybersecurity team that offers help to victims looking for weaknesses in their security infrastructure within their networks and systems. After the ransomware has made its way into a victim’s system or network, Cobalt Strike is then used for the ransomware lateral movement, spreading it around the system’s network. PsExec is then used to deploy PowerShell scripts and the Rhysida ransomware payload. The PowerShell script (g.ps1), identified as “Trojan.PS1.SILENTKILL.A, is used to disable antivirus processes in the system, modify remote desktop protocol configurations and to also change the active directory passwords. The ransomware utilizes a 4096-bit RSA key and AES-CTR to encrypt the victim’s file.
After the victim’s files have been encrypted, a ransom note will be displayed to the user. Unlike other ransom notes, Rhysida claims to be a “cybersecurity team” in the ransom note, telling the user that their system has been compromised and that the victim has to pay for a “unique key” in order to decrypt their files.
Technical Impact Analysis:
Loss of Confidentiality, Loss of Integrity
Business Impact Analysis:
Financial Damage, Privacy Violation, Reputation Damage
Defense Evasion, Impact, Initial Access, Lateral Movement
T1059.003 Command and Scripting Interpreter: Windows Command Shell
T1059.001 Command and Scripting Interpreter: PowerShell
T1053.005 Scheduled Task/Job: Scheduled Task
T1070.004 Indicator Removal: File Deletion
T1070.001 Indicator Removal: Clear Windows Event Logs
T1083 File and Directory Discovery
T1082 System Information Discovery
T1490 Inhibit System Recovery
T1486 Data Encrypted for Impact
T1491.001 Defacement: Internal Defacement
Indicator or Compromise:
SuperPRO’s Threat Countermeasures Procedures:
1. Keep all software and systems up to date with the latest patches and updates to minimize the risk of exploitation.
2. Provide cybersecurity awareness training to employees to educate them about the risks of phishing attacks and social engineering techniques.
3. Regularly backup critical data and ensure that backups are stored securely.
4. Employ strong security measures such as firewalls, intrusion detection systems, and antivirus software to detect and prevent unauthorized access and malware infections.
5. Divide your network into smaller, isolated segments, each with its own set of security controls. This helps to contain the impact of a potential breach and limits an attacker’s ability to move laterally.
6. Follow least privilege access in granting access only to the resources and systems that are necessary for each user or system.
7. Deploy security tools such as SIEM (Security Information and Event Management) to detect and analyze network traffic.
8. Enforce strong access controls, including multi-factor authentication and strong passwords, to prevent unauthorized access to systems and resources.
9. Regularly perform penetration testing to identify any vulnerabilities or weaknesses in your network.
Contributed by: Sherman