rhysida
Rhysida is a ransomware-as-a-service (RAAS) group that emerged in May 2023. The group utilizes a namesake ransomware through phishing attacks and Cobalt Strike to breach the targets' networks and deploy their payloads. The group threatens to publicly distribute exfiltrated data if the ransom is not paid, and it's worth mentioning that Rhysida is still in the early stages of development. The ransomware leaves PDF notes in the affected folders, instructing victims to contact the group through its portal, and payment is made via Bitcoin. After encryption, the ransomware appends the extension '.ryshida' to encrypted files. Source: https://github.com/crocodyli/ThreatActors-TTPs
- Public Sector
- Unspecified
- Construction
- TA0001Initial Access
- TA0002Execution
- TA0003Persistence
- T1547.001Registry Run Keys / Startup Folder
Persistence via registry run keys.
- TA0004Privilege Escalation
- TA0005Defense Evasion
- T1027Obfuscated Files or Information
Obfuscating files and information.
- T1036Masquerading
Masquerading malicious files.
- T1055Process Injection
Process injection for evasion.
- T1055.003Thread Execution Hijacking
Thread execution hijacking.
- T1497Virtualization/Sandbox Evasion
Evading virtualization/sandbox detection.
- T1564Hidden Artifacts
Hiding artifacts.
- T1564.004NTFS File Attributes
Using NTFS file attributes.
- T1620Reflective DLL Injection
Reflective DLL injection.
- TA0007Discovery
- T1010Application Window Discovery
Discovering application windows.
- T1057Process Discovery
Discovering running processes.
- T1082System Information Discovery
Discovering system information.
- T1083File and Directory Discovery
Discovering files and directories.
- T1497Virtualization/Sandbox Evasion
Detecting virtualization/sandbox.
- T1518.001Security Software Discovery
Discovering security software.
- TA0009Collection
- TA0010Exfiltration
- T1041Exfiltration Over C2 Channel
Exfiltrating data over C2 channel.
- TA0011Command and Control
- TA0040Impact
- T1486Data Encrypted for Impact
Encrypting data for impact.
- TA0042Resource Development
- TA0043Reconnaissance