×

Empower Your Business with Innovation

0
0
  • Shop By Category
    • Investigating the New Rhysida Ransomware
    Investigating the New Rhysida Ransomware

    Posted by HSSL Technologies on Dec 5th 2023

    The goal of the FortiGuard IR team is to provide organizations with valuable insights from threat analysis to bolster their security posture. We recently conducted a comprehensive analysis of an incident involving the Rhysida ransomware group, shedding light on their operations, tactics, and impact, including a novel technique involving ESXi-based ransomware.


    The Rhysida Ransomware Group

    The Rhysida group was first identified in May 2023, when they claimed their first victim. This group deploys a ransomware variant known as Rhysida and also offers it as Ransomware-as-a-service (RaaS). The group has listed around 50 victims so far in 2023.

    The investigation conducted by the FortiGuard IR team and MDR team uncovered some of the techniques and tools used by Rhysida:

    The initial detection was identified by the FortiGuard MDR team. The threat actor was observed accessing systems in a victim's network and attempting to create memory dumps and gather user data. FortiEDR detected these events, allowing the MDR team to analyze them further.

    Following the initial detection and triage, the FortiGuard IR team was engaged to conduct a complete analysis.


    Attack Details

    The threat actors abuse legitimate software such as PowerShell to gain information about users and systems within the network, PSExec to schedule tasks and make changes to registry keys to maintain persistence, AnyDesk for remote connections, and WinSCP for file transfers. The threat actors also attempt to exfiltrate data from various systems using MegaSync.

    The report also covers the additional malware the FortiGuard IR Team identified, along with a technique we don’t often see where the group deployed Windows and Linux binaries.

    Restricting Veeam access to only designated machines hindered the threat actors from gaining access to the backup files. Moreover, the prudent management of passwords for vSphere fortified the victim's defense. The Rhysida ransomware group is known to target vSphere and look for credentials, so the safeguards that the victim implemented were vital to preventing widespread ransomware of the virtual infrastructure.

    Staying informed on the landscape of cyber threats is critical. This analysis of the Rhysida group serves as a valuable resource for organizations. By uncovering motives and impact, the FortiGuard IR teams’ findings can guide proactive strategies.

    Top

    Don't Miss Out

    Sign up now to receive exclusive perks and unique promotions directly to your inbox.

    Trusted Professionals

    Reliable Shipping

    Secure Shopping

    Quality Guaranteed

    Culver Drive, 340 Irvine, CA 92604

    Tel 888.988.5472

    Copyright © HSSL Technologies. All Rights Reserved. HSSL Technologies are registered trademarks of HSSL Technologies. All other trademarks and registered trademarks brands are the sole property of their respective owners.

    Company

    Resources

    Policies

    Resources

    Account

    HSSL Technologies (US) © 2026. All Rights Reserved.
    american expressdiners clubdiscovermaestromasterpaypalvisa