Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis

Oct. 10, 2024, 8:43 a.m.

Tags
backdoor
ransomware
seo poisoning
extortion
multi-tiered
infrastructure
2024-10-10
rhysida
chrgetpdsi
portstarter
cleanuploader
early detection
External References
Description

Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification, averaging 30 days before their appearance on extortion sites. CleanUpLoader, a backdoor associated with Rhysida, is often distributed as fake software installers for popular applications, signed with valid digital certificates. The analysis demonstrates the potential for early ransomware activity detection using network intelligence, applicable to various ransomware groups with detectable infrastructure.

Date

Published: Oct. 10, 2024, 8:17 a.m.

Created: Oct. 10, 2024, 8:17 a.m.

Modified: Oct. 10, 2024, 8:43 a.m.

Indicators

fd22df004b61809b110c6b4cbc9ddeb6df31edaa1f889ed501b4d516869e1efb

f066cff7172a39cf7910142687ec877f428b4a352e16077a2fea712c525e932c

e60cab41b7602209c1660bc518b1f7b639ab45e60bbedf3b23757e4937c24fc4

e45802322835286cfe3993fe8e49a793acd705755d57d8fc007341bf3b842518

e1be0e3707f67d03eaa8ac4b14b8b7cd7fc665f13a15aa8087b34cbde07116fd

d9ffcca98671ccb2ff42d26d98be3b30b636930cc63149895b842f834871ebe3

d80239bb3299b1086f2ad5fc4690973604a770aafc84d21fecf0ae8004be9750

d7ba9881345d71862a68080d210643e2c2d3e17fd13065385edcd3b3391898c3

d4e4deab561d478084ac29751e5073de9b7ffd55fa8b408c5c76fedd3fe02f6c

d40461331f4511c27611f6cba2af831aaa0789990c8387f6ec7bc0bf54b10961

cfe29f17a6a3df92015c8fc4c3d1365b40ab174322791c3643ed6480c1fb4349

c2e7bf349214d1241cecd30748d392d9b585186fe5d38ec4b2b3d3304be206a3

c095497d1144ceca4cbbbeda19952322aa001e61318d6eecd4e97002f3cfc9aa

bd5a37a8d2cdc44d60e5f550eb02e84fe41e380c341c404a4ffb71f9fc057e4a

bb07c89e9eb29817ca8a70f7c9430d5f4ad82eb525472abe8bad1b161a702584

ae939063c8f4ed91848fbdeff3ac98c17b404649706d7a3805c05e686b2e478c

a2263d2af40140370f687f4936ef65b82d5f6c85df9e22dfc05ff677f8650ae1

8bae0fa9f589cd434a689eebd7a1fde949cc09e6a65e1b56bb620998246a1650

8372b173704cf8d8737e426b34efd43fba74c4fcb0a248f6ce72682ebc0bd916

72c7e22177b612254f40c5b5bc1555b5dca86e2e15e0f48551c946972160c2c5

687459d587df273184469f7e707c0e5db8fe4e3d4b15756d666891127851680b

64a45cc8499992de72e4fe8c2a07100e97e333c09c0c004af2b88d8aedcd19f1

5c68fda16039ff29e9bf93c6dac11edbcd111dc8ec29fa499637c43b07039d92

59f9929ed207c31b1d1cdf149ae3bea5d1187453574b405639bbac240ea1b693

47e95a56736031567b2a1663410e635627ca812a2926b37f46f2322bbcbc0238

4adfdd5d066fb1f880f02fdd0118095afdf60d644c5df79f43935cfc3b80640e

47975a0d9299ba46e2f313c6bc9a47a760c3243509660b9edb83ffbd47e3a98b

405486ac746e7dfea797c676ede336fde69cf19cd4249e6d2d8a4d9483617cfe

34605c0dfbabf7ce8836091dc760a073da37f1ab35ef3e33f13117bcf044d07e

2261bce086869cb90502272e933f1f356adc886dd8da83e5197923546827f43e

2660e5a5b38f32e30293b51e6bb7a2e43caca9d4a17619e17c7fbe93f08c0e26

0e8837be7802d9cbc0bf01b7701dcc37f906e075c5cbfbe45804f72eaf624756

0cace05e3f256ad430fa6e5b42763c977f3b6e19b6a4e18e717a9c209cf2ddc1

0b2fc17409949fead98cac2eeb41442dc394225b8b4025c4f6101b73b515d09b

094b9b61f910f45b9896d249e18eec653370da3e80a05f7a86cef57170340f87

0851fd5671640a9acaf688e2886570759364135915f272d4ff7946fe001b3f4c

077f1659add338e217216acd6f284634977c507f5e2df5ac0e08bcadaef8fd64

06dec1d05b77f765b9d12c223d4b7887dc0a526e8d8a790bd2b99346619dc837

05ab428fc0b171957e9144351a7480cfea2f617f20dd23c145736bd0a22eb041

cfc2fe7236da1609b0db1b2981ca318bfd5fbbb65c945b5f26df26d9f948cbb4

9601f3921c2cd270b6da0ba265c06bae94fd7d4dc512e8cb82718eaa24accc43

82b246d8e6ffba1abaffbd386470c45cef8383ad19394c7c0622c9e62128cb94

574c70e84ecdad901385a1ebf38f2ee74c446034e97c33949b52f3a2fddcd822

a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6

67.217.228.171

67.217.228.136

67.217.228.11

64.95.13.98

64.95.13.77

64.94.84.61

45.66.248.78

51.195.232.46

45.61.136.85

45.61.136.244

45.61.136.48

216.245.184.129

213.109.202.161

206.71.149.46

193.149.190.10

162.33.179.46

162.33.179.222

162.33.178.137

162.33.178.83

162.19.237.181

149.248.78.182

141.255.166.66

139.99.221.140

206.166.251.114

149.248.79.62

64.95.10.243

91.240.118.215

siskollew@onionmail.org

kimigleason@onionmail.org

estelaosinski@onionmail.org

Download all indicators here!

Attack Patterns

PortStarter

ChrGetPdsi

CleanUpLoader

Rhysida

Rhysida

T1583.001

T1588.004

T1587.001

T1583.004

T1078.003

T1053.005

T1583.003

T1059.001

T1566.002

T1204.002

T1486

T1203

T1041

T1068