Fortinet Presents An In-Depth View of a Rhysida Intrusion
Greater insights into the capabilities and activities of the Rhysida ransomware-as-a-service (RaaS) were also put into focus by researchers from Fortinet's Managed Detection and Response team (MDR). Recently featured in CISA's #StopRansowmare advisory, the ransomware gang has accumulated over 50 victims on their data leak site. With data as of October 9th, 2023, Fortinet's analysis of the victims reveals that the Rhysida ransomware gang has predominantly targeted organizations in the United States, Germany, France, Italy, and England. Across various industries, the Rhysida ransomware demonstrates a broad impact, with notable victim counts in education, manufacturing, technology, government, and construction, ranking them as the top five targeted sectors.
An attack orchestrated by Rhysida in July 2023 provided valuable insights into the operational capabilities of the Rhysida operators. Notably, their assault on a U.S. educational institution lacked advanced Tactics, Techniques, and Procedures (TTPs), with Fortinet's report highlighting that the actors were "able to achieve their outcomes using exclusively unsophisticated, known TTPs." Unfolding over a four-day campaign, signs of the attack were first spotted by the detection and response of three suspicious credential access attempts, involving Windows Task Manager (taskmgr.exe) and ProcDump attempting to dump LSASS memory. Additionally, the attackers attempted to access the Windows Security Account Manager (SAM). Upon identifying these activities, the affected organization sought assistance from Fortinet's Managed Detection and Response (MDR) team.
Fortinet's subsequent investigation unveiled that the incident originated from the utilization of compromised credentials to establish a Remote Desktop Protocol (RDP) session, accessing a SonicWall VPN. The attackers’ utilization of compromised credentials is supported by the lack of brute-force activity in logs. The exact timeline and methods employed by the attackers to obtain these credentials remain unknown, with Fortinet suggesting the possibility of collaboration between the ransomware actors and Initial Access Brokers (IAB). This initial RDP connection occurred on what Fortinet documents as Day 1 and is followed by a period of downtime.
Activity resumed on Day 3, encompassing the alerted credential access activity and other notable actions, including creating a copy of the Active Directory database, network reconnaissance aided by the Advanced Port Scanner tool, and abusing the Volatility tool to obtain credentials from a memory dump. Tools deployed included various PowerShell scripts, PsExec, PuTTY, AnyDesk, and WinSCP, along with various LOLBins such as nslookup, rundll32 to execute a malicious DLL, and schtasks to maintain persistence. Rhysida operators partially fulfilled their objective by exfiltrating data, encrypting unprotected ESXi servers, and attempting to propagate their ransomware throughout the network. Fortinet's EDR, although not fully deployed on every endpoint, successfully thwarted ransomware execution attempts on protected hosts. In contrast, unprotected hosts fell victim to encryption, had backups deleted, and displayed the ransom note.
Fortinet's analysis underscores Rhysida's capability to utilize unsophisticated TTPs for critical security breaches, emphasizing the significance of preventing abuse of valid accounts for initial access. The report highlights the ransomware operators' adept use of versatile LOLBins and commonly used signed tools to accomplish their objectives against target organizations.