A new ransomware group named Rhysida has emerged in the cyber threat landscape, targeting various organizations between 23 May 2023 and 4 June 2023. This group has already made its presence known by naming and targeting multiple victims, which include a Martinican government authority, a Swiss chemical manufacturing company, an Australian medical device manufacturing company, and a school in the UK.

The Rhysida ransomware group follows a common modus operandi seen in similar attacks.

image

They utilize a dedicated leak site (hxxp://rhysidafohrhyy2aszi7bm32tnjat5xri65fopcxkdfxhi4tidsg7cad[.]onion/) to publicly name their victims and release sensitive data as a form of pressure. Screenshots of passports and file trees containing personally identifiable information (PII) and internal data have been shared on their dedicated leak site.

image

It has been reported that the Rhysida ransomware group drops a PDF file named CriticalBreachDetected.pdf, which contains a unique token ID for victims to access a contact form hosted on an .onion site to engage with the operators. This allows the group to establish communication and negotiate ransom payments.

image

Despite being a relatively new group, Rhysida has already gained attention within the cybersecurity community. Analysis of their payloads (1.2 MB sample was written in C++ and compiled using MinGW) suggests that the group is still in the early stages of development, as some commodity features are missing and background image-replacement functions are not functioning properly. This indicates that they are actively evolving and refining their techniques.


Indicators of Compromise

SHA256
a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6