Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Oct. 10, 2024, 8:43 a.m.
Description
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification, averaging 30 days before their appearance on extortion sites. CleanUpLoader, a backdoor associated with Rhysida, is often distributed as fake software installers for popular applications, signed with valid digital certificates. The analysis demonstrates the potential for early ransomware activity detection using network intelligence, applicable to various ransomware groups with detectable infrastructure.
Tags
Date
- Created: Oct. 10, 2024, 8:17 a.m.
- Published: Oct. 10, 2024, 8:17 a.m.
- Modified: Oct. 10, 2024, 8:43 a.m.
Indicators
- fd22df004b61809b110c6b4cbc9ddeb6df31edaa1f889ed501b4d516869e1efb
- f066cff7172a39cf7910142687ec877f428b4a352e16077a2fea712c525e932c
- e60cab41b7602209c1660bc518b1f7b639ab45e60bbedf3b23757e4937c24fc4
- e45802322835286cfe3993fe8e49a793acd705755d57d8fc007341bf3b842518
- e1be0e3707f67d03eaa8ac4b14b8b7cd7fc665f13a15aa8087b34cbde07116fd
- d9ffcca98671ccb2ff42d26d98be3b30b636930cc63149895b842f834871ebe3
- d80239bb3299b1086f2ad5fc4690973604a770aafc84d21fecf0ae8004be9750
- d7ba9881345d71862a68080d210643e2c2d3e17fd13065385edcd3b3391898c3
- d4e4deab561d478084ac29751e5073de9b7ffd55fa8b408c5c76fedd3fe02f6c
- d40461331f4511c27611f6cba2af831aaa0789990c8387f6ec7bc0bf54b10961
- cfe29f17a6a3df92015c8fc4c3d1365b40ab174322791c3643ed6480c1fb4349
- c2e7bf349214d1241cecd30748d392d9b585186fe5d38ec4b2b3d3304be206a3
- c095497d1144ceca4cbbbeda19952322aa001e61318d6eecd4e97002f3cfc9aa
- bd5a37a8d2cdc44d60e5f550eb02e84fe41e380c341c404a4ffb71f9fc057e4a
- bb07c89e9eb29817ca8a70f7c9430d5f4ad82eb525472abe8bad1b161a702584
- ae939063c8f4ed91848fbdeff3ac98c17b404649706d7a3805c05e686b2e478c
- a2263d2af40140370f687f4936ef65b82d5f6c85df9e22dfc05ff677f8650ae1
- 8bae0fa9f589cd434a689eebd7a1fde949cc09e6a65e1b56bb620998246a1650
- 8372b173704cf8d8737e426b34efd43fba74c4fcb0a248f6ce72682ebc0bd916
- 72c7e22177b612254f40c5b5bc1555b5dca86e2e15e0f48551c946972160c2c5
- 687459d587df273184469f7e707c0e5db8fe4e3d4b15756d666891127851680b
- 64a45cc8499992de72e4fe8c2a07100e97e333c09c0c004af2b88d8aedcd19f1
- 5c68fda16039ff29e9bf93c6dac11edbcd111dc8ec29fa499637c43b07039d92
- 59f9929ed207c31b1d1cdf149ae3bea5d1187453574b405639bbac240ea1b693
- 47e95a56736031567b2a1663410e635627ca812a2926b37f46f2322bbcbc0238
- 4adfdd5d066fb1f880f02fdd0118095afdf60d644c5df79f43935cfc3b80640e
- 47975a0d9299ba46e2f313c6bc9a47a760c3243509660b9edb83ffbd47e3a98b
- 405486ac746e7dfea797c676ede336fde69cf19cd4249e6d2d8a4d9483617cfe
- 34605c0dfbabf7ce8836091dc760a073da37f1ab35ef3e33f13117bcf044d07e
- 2261bce086869cb90502272e933f1f356adc886dd8da83e5197923546827f43e
- 2660e5a5b38f32e30293b51e6bb7a2e43caca9d4a17619e17c7fbe93f08c0e26
- 0e8837be7802d9cbc0bf01b7701dcc37f906e075c5cbfbe45804f72eaf624756
- 0cace05e3f256ad430fa6e5b42763c977f3b6e19b6a4e18e717a9c209cf2ddc1
- 0b2fc17409949fead98cac2eeb41442dc394225b8b4025c4f6101b73b515d09b
- 094b9b61f910f45b9896d249e18eec653370da3e80a05f7a86cef57170340f87
- 0851fd5671640a9acaf688e2886570759364135915f272d4ff7946fe001b3f4c
- 077f1659add338e217216acd6f284634977c507f5e2df5ac0e08bcadaef8fd64
- 06dec1d05b77f765b9d12c223d4b7887dc0a526e8d8a790bd2b99346619dc837
- 05ab428fc0b171957e9144351a7480cfea2f617f20dd23c145736bd0a22eb041
- cfc2fe7236da1609b0db1b2981ca318bfd5fbbb65c945b5f26df26d9f948cbb4
- 9601f3921c2cd270b6da0ba265c06bae94fd7d4dc512e8cb82718eaa24accc43
- 82b246d8e6ffba1abaffbd386470c45cef8383ad19394c7c0622c9e62128cb94
- 574c70e84ecdad901385a1ebf38f2ee74c446034e97c33949b52f3a2fddcd822
- a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6
- 67.217.228.171
- 67.217.228.136
- 67.217.228.11
- 64.95.13.98
- 64.95.13.77
- 64.94.84.61
- 45.66.248.78
- 51.195.232.46
- 45.61.136.85
- 45.61.136.244
- 45.61.136.48
- 216.245.184.129
- 213.109.202.161
- 206.71.149.46
- 193.149.190.10
- 162.33.179.46
- 162.33.179.222
- 162.33.178.137
- 162.33.178.83
- 162.19.237.181
- 149.248.78.182
- 141.255.166.66
- 139.99.221.140
- 206.166.251.114
- 149.248.79.62
- 64.95.10.243
- 91.240.118.215
- siskollew@onionmail.org
- kimigleason@onionmail.org
- estelaosinski@onionmail.org
- zoom-video.org
- webex-up.com
- time-check-broker.com
- postmastersoriginals.com
- pixalate.us
- ns-client.net
- nnlcrosaftteams-download.pro
- microssoft-teams.com
- microsoftt-teams.com
- microsoftt-teams-download.com
- metalforthecoredream.com
- itisthebestforyou.eu
- heartwithinadream.com
- gang-force.com
- firscountryours.eu
- docsfromthewest.com
- crystal-maker.com
- crystalmaker.pro
- codeforprofessionalusers.com
- buydotclearlynet.com
- backuppingplanseasy.com
- auttodessk.com
- autosdesk.net
- aut0deskk.com
- whereverhomebe.com
- prodfindfeatures.com
- micrsoft-teams-download.com
- yourserenahelpcustom.uk
- supfoundrysettlers.us
- retdirectyourman.eu
- lakeshorehomebuilders.com
- basiconlineincome.com
Attack Patterns
- PortStarter
- ChrGetPdsi
- CleanUpLoader
- Rhysida
- Rhysida
- T1583.001
- T1588.004
- T1587.001
- T1583.004
- T1078.003
- T1053.005
- T1583.003
- T1059.001
- T1566.002
- T1204.002
- T1486
- T1203
- T1041
- T1068