Rhysida Ransomware, operating since December 2022, has garnered attention from the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). Both agencies have issued warnings about this ransomware, noting its unique capability to delete itself upon detection.
Kaspersky’s research reveals that Rhysida is equipped with an info stealer malware named Lumar. This malicious software is proficient in extracting sensitive information such as Telegram sessions, passwords, cookies, auto-fill data, desktop files, and even cryptocurrency from wallets. Notably, the malware, crafted in C++, demonstrates the ability to bypass detection, even on the latest Windows 11 operating systems. Additionally, Rhysida can encrypt Active Directories, demanding a ransom for decryption.
Fortra’s research delves deeper, identifying the malware-as-a-service team actively targeting healthcare companies and the prominent Chilean firm Grupo GTD. Beginning in September 2023, the hacking group expanded its operations to compromise data centers in education, manufacturing, IT, and government sectors, employing double extortion tactics.
Sophos draws parallels between Rhysida and Vice Society, noting similarities in their tactics. Vice Society is currently distributing the Nitrogen malware through Google Ads.
What sets Rhysida apart is its organizational structure. The ransomware group operates like an IT company, maintaining a structured employee base and following corporate-like hiring practices. They adhere to strict guidelines in concealing their operations from the public web, exclusively utilizing the Tor network for their activities.
