The Rhysida ransomware group was first revealed in May this year, and since then has been linked to several impactful intrusions, including an attack on the Chilean Army. Recently the group was also tied to an attack against Prospect Medical Holdings, affecting 17 hospitals and 166 clinics across the United States. After this attack, the US Department of Health and Human Services defined Rhysida as a significant threat to the healthcare sector.
While responding to a recent Rhysida ransomware case against an educational institution, the Check Point Incident Response Team (CPIRT), in collaboration with Check Point Research (CPR), observed a set of unique Techniques, Tactics and Tools (TTPs). During our analysis, we identified significant similarities to the TTPs of another ransomware group – Vice Society. Vice Society was one of the most active and aggressive ransomware groups since 2021, mostly targeting the education and healthcare sectors. For example, Vice Society was responsible for the attack against the Los Angeles Unified School District.
As a connection between Vice Society and Rhysida was suggested recently, we bring forth technical evidence to strengthen the connection. Our analysis shows both a technical similarity between the two groups, and a clear correlation between the emergence of Rhysida and the disappearance of Vice Society. In addition, the two groups share a focus on two main sectors which stand out in the ransomware ecosystem: education and healthcare.
As Vice Society was observed deploying a variety of commodity ransomware payloads, this link does not suggest that Rhysida is exclusively used by Vice Society, but shows with at least medium confidence that Vice Society operators are now using Rhysida ransomware.
As the Rhysida ransomware payload was thoroughly analyzed before, we will focus on the TTPs leading to its deployment, specifically on Lateral Movement, Credential Access, Defense Evasion, Command and Control, and Impact.
Based on the evidence we have, the time to ransom (TTR) of the actors employing Rhysida ransomware is relatively low. It has been eight days from the first signs of lateral movement to the widespread ransomware deployment.
The attackers used a variety of tools to perform lateral movement, including:
- PsExec.exe -d \VICTIM_MACHINE -u “DOMAIN\ADMIN” -p “Password” -s cmd /c COPY “\path_to_ransomware\payload.exe” “C:\windows\temp”
- PsExec.exe -d \VICTIM_MACHINE -u “DOMAIN\ADMIN”” -p “Password” -s cmd /c c:\windows\temp\payload.exe.
Most notably, the threat actor used ntdsutil.exe to create a backup of NTDS.dit in a folder name temp_l0gs. This path was utilized by the actor multiple times. In addition to those, the threat actor has enumerated Domain Administrator accounts and attempted to log in using some of them.
Command and Control
The threat actors have utilized several backdoors and tools for persistence, including:
- here) which maintains persistence by installing a registry run key named socks to execute the script on startup. The implant reaches out to 5.255.103[.]7.
- Windows Update to allow outbound traffic to another server, 5.226.141[.]196.
Throughout the activity, the threat actors consistently deleted logs and forensic artifacts following their activity. This includes:
Following RDP sessions, the threat actor also deleted RDP-specific logs by:
- HKCU:\Software\Microsoft\Terminal Server Client” in the Windows Registry, and for each subkey, removing the “UsernameHint” value if it exists.
- \Default.rdp from the users’ Documents folder.
On the day of ransomware deployment, the threat actor utilized the access provided by AnyDesk to widely deploy the ransomware payload in the environment using PsExec:
- wmic.exe and vssadmin.exe.
Throughout our analysis of Rhysida ransomware TTPs and infrastructure, we found several similarities to another infamous ransomware group: Vice Society, which was observed changing ransomware payloads over time. A possible link between Vice Society and Rhysida has been recently suggested. Here we will present additional evidence supporting this claim.
Techniques, Tools and Infrastructure
Many of the techniques described above are highly correlated with previous Vice Society intrusions as described by Microsoft and Intrinsec. Some of them might appear quite generic for Ransomware operators, but were utilized in very specific ways, including specific paths, which are not common:
- temp_l0gs. The same path was reported to be used by Vice Society.
- New-NetFirewallRule named Windows Update to facilitate traffic relaying using SystemBC, a commodity malware. SystemBC was executed through the registry Run key, stored under the value socks.
In addition to technical similarity, there is also a correlation between the emergence of Rhysida and a significant decline in Vice Society activity. Based on information from both Rhysida and Vice Society leak sites, we constructed a timeline displaying extortion announcements of the two groups.
Ever since Rhysida first appeared, Vice Society has only published two victims. It’s likely that those were performed earlier and were only published in June. Vice Society actors stopped posting on their leak site since June 21, 2023.
In addition, we also noticed similarities in the targeted sectors affected by the two groups, who are well known for targeting the education and healthcare industries. The high portion of victims in the education industry stands out as unique for both groups in the entire ransomware ecosystem:
Figure 2 – Distribution of Rhysida victims per industry sector
Figure 3 – Distribution of Vice Society victims per industry sector
Our analysis of Rhysida ransomware intrusions reveals clear ties between the group and the infamous Vice Society, but it also reveals a grim truth – the TTPs of prolific ransomware actors remain largely unchanged. Major portions of the activity we’ve observed could have been used, and have been used, to deploy any ransomware payload by any ransomware group.
This highlights the importance of understanding not just the operation of a ransomware payload, but the entire process leading to its deployment. From the usage of remote management tools such as AnyDesk to the deployment of ransomware through PsExec, threat actors leverage a variety of tools to facilitate such attacks. Closely monitoring the activity of those could help in preventing the next ransomware attack.
Check Point Software customers remain protected against Rhysida ransomware.
Check Point Threat Emulation and Harmony Endpoint provide comprehensive coverage of attack tactics and file types and is protecting against the type of attacks and threats described in this report.