Rhysida Ransomware

Threat Landscape 威胁态势

On December 12th 2023 Rhysida claimed to have penetrated and encrypted Insomniac Games from Burbank, California. The studio founded in 1994 and currently owned by Sony Interactive Entertainment, has been responsible for such hits as the recently released ‘Marvel’s Spider-man’ series and the ‘Ratchet & Clank’ series.
2023 年 12 月 12 日，Rhysida 声称已经渗透并加密了加利福尼亚州伯班克的 Insomniac Games。该工作室成立于1994年，目前由索尼互动娱乐公司拥有，负责最近发布的“漫威蜘蛛侠”系列和“瑞奇与叮当”系列等热门作品。

The gang has set the price at 50 BTC and a time limit of 7 days.
该团伙将价格定为 50 BTC，时限为 7 天。

The leak site contains the latest victims and the ability to submit a victim token.
泄漏站点包含最新的受害者以及提交受害者令牌的能力。

On November 15th, CISA.gov posted an alert about Rhysida. This report contains a number of tactics, techniques and tooling that the ransomware gang uses. cisa.gov report
11 月 15 日，CISA.gov 发布了关于 Rhysida 的警报。该报告包含勒索软件团伙使用的一些策略、技术和工具。cisa.gov 报告

Keypoints 关键点

• Use of scheduled tasks for persistence
  使用计划任务进行持久性
• Uses CHC hash and AES block ciphers for encryption
  使用 CHC 哈希和 AES 分组密码进行加密
• Drops the ransomware note as a PDF
  将勒索软件注释作为 PDF 删除

Build information 构建信息

Hashes 散 列

The file was first submitted to VirusTotal on November 18th 2023 , and at the time of this analysis the last submission was December 8th 2023 .
该文件于 2023 年 11 月 18 日首次提交给 VirusTotal，在进行此分析时，最后一次提交是 2023 年 12 月 8 日。

• b55ecbddcbed916481ad537807cd3e33cb71814be6ce8e03eb63b629ccb8c692 | VirusTotal
  b55ecbddcbed916481ad537807cd3e33cb71814be6ce8e03eb63b629ccb8c692 | 病毒总数

Compiler 编译器

The sample was compiled using MinGW 6.3 and is a 64-bit executable of 497KB in size.
该示例是使用 MinGW 6.3 编译的，是一个大小为 497KB 的 64 位可执行文件。

Section Segments 部分段

The section segments contains a fairly high .data section which is 119.2KB in size with an entropy of 7 . This is interesting considering the size of the overall binary.
该部分段包含一个相当高的 .data 部分，其大小为 119.2KB，熵为 7。考虑到整个二进制文件的大小，这很有趣。

Tactics and Techniques 战术和技巧

The main functions control flow has a large nested if block starting at address text:0000000000419378 that is fairly unique, this nested block makes use of the number of processors found, to setup up the thread pool required to faciliate the encryption process and getting a reference to the cryptographic handler.
主要函数控制流有一个大的嵌套 if 块，从 address text：0000000000419378 开始，这是相当独特的，这个嵌套块利用找到的处理器数量来设置所需的线程池，以促进加密过程并获取对加密处理程序的引用。

Within this nested if block, the _beginthreadex() call is used to start new threads bound by the number of processors found and a short 10 millisecond sleep trap was added inside of a loop. This tight loop utilizes the synchapi.h to handle eventing between threads.
在这个嵌套的 if 块中，_beginthreadex（） 调用用于启动由找到的处理器数量绑定的新线程，并在循环中添加了一个 10 毫秒的短睡眠陷阱。此紧密循环利用 synchapi.h 来处理线程之间的事件。

The main program flow continues on to setup the file walker for file and directory discovery and ensuring both the scheduled tasks and commands for deleting the sample from disk.
主程序流程继续设置文件遍行器以发现文件和目录，并确保计划任务和命令从磁盘中删除样本。

Determine number of CPUs
确定 CPU 数量

The number of processors are obtained via the GetSystemInfo() call. The structure returned contains a member called dwNumberOfProcessors which is used throughout the sample to determine thread pool sizes used for the overall encryption process.
处理器的数量是通过 GetSystemInfo（） 调用获取的。返回的结构包含一个名为 dwNumberOfProcessors 的成员，该成员在整个示例中用于确定用于整个加密过程的线程池大小。

If the number of processors is greater than 8, the value is set to 8.
如果处理器数大于 8，则该值设置为 8。

Schedule task persistence
计划任务持久性

The sample setups schedule tasks to facilitate persistence. The scheduled tasks are broken up into multiple commands.
示例设置计划任务以促进持久性。计划任务被分解为多个命令。

• The first command is used to create a new schedule tasks called Rhsd to launch the payload again upon startup utilizing the ONSTART option.
  第一个命令用于创建名为 Rhsd 的新计划任务，以便在启动时使用 ONSTART 选项再次启动有效负载。

• The second command is used to run the task Rhsd using the current user accounts permissions.
  第二个命令用于使用当前用户帐户权限运行任务 Rhsd。

• The third command is used to delete the schedule task if the system has already been compromised.
  第三个命令用于在系统已遭到入侵时删除计划任务。

Inhibit system recovery 禁止系统恢复

The sample will clear the event logs by utilizing the cmd.exe and the wevtutil.exe programs. The sample will wait until the events are cleared before returning back to the execution of the malware. The vssadmin.exe is used to delete shadow copies, this occurs after the system is compromised.
此示例将利用 cmd.exe 和 wevtutil.exe 程序清除事件日志。该示例将等到事件被清除后再返回到恶意软件的执行中。vssadmin.exe 用于删除卷影副本，这发生在系统遭到入侵之后。

Directory and file discovery
目录和文件发现

The sample is configured to skip files by extension. The typical file extensions found below are commonly skipped by ransomware payloads with the primary objective of keeping system stability functional.
此示例配置为按扩展名跳过文件。勒索软件有效负载通常会跳过下面找到的典型文件扩展名，其主要目的是保持系统稳定性正常运行。

.bat
.bin
.cab
.cmd
.com
.cur
.diagcab
.diagcfg
.diagpkg
.drv
.dll
.exe
.hlp
.hta
.ico
.msi
.ocx
.ps1
.psm1
.scr
.sys
.ini
.Thumbs.db
.url
.iso

The sample will iterate through each file and attempt to determine if the file is valid for processing by using the _stat64() call and then inspecting the st_mode parameter for a potential regular file, directory, character device or pipe.
此示例将循环访问每个文件，并尝试使用 _stat64（） 调用确定文件是否可用于处理，然后检查潜在的常规文件、目录、字符设备或管道的 st_mode 参数。

Encryption library 加密库

The sample will attempt to get a handle to the Microsoft cryptographic next gen API and call the CryptGenRandom() to create entropy.
此示例将尝试获取 Microsoft 加密下一代 API 的句柄，并调用 CryptGenRandom（） 以创建熵。

The malware has statically linked references to libtommath and is used throughout the main function and subroutines to facilitate the setup of the encryption process. https://github.com/libtom/libtommath
该恶意软件具有对 libtommath 的静态链接引用，并在整个主函数和子例程中使用，以方便加密过程的设置。https://github.com/libtom/libtommath

The sample will utilize both AES for the block cipher and the chc_hash that is needed to facilitate the public RSA key.
该示例将利用 AES 进行分组密码和促进公钥 RSA 密钥所需的chc_hash。

Lastly the sample will encrypt files and append the rhysida extension.
最后，该示例将加密文件并附加 rhysida 扩展名。

Defacement 污损

The sample will modify the system registery via cmd.exe to update the wallpaper with the ransomware note. Once the registry keys are changed, the malware will force an update using the command rundll32.exe user32.dll,UpdatePerUserSystemParameters.
该示例将通过 cmd.exe 修改系统注册，以使用勒索软件注释更新墙纸。更改注册表项后，恶意软件将使用命令 rundll32.exe user32.dll，UpdatePerUserSystemParameters 强制更新。

The sample attempts to open the windows font file for Arial.ttf for use in the ransom note.
该示例尝试打开 Arial.ttf 的 Windows 字体文件以用于赎金记录。

The ransomware note contains the typical scare tactics seen in other ransomware notes and a reference to their onion site with a unique secret key (token) associated with this victim.
勒索软件说明包含其他勒索软件说明中看到的典型恐吓策略，以及对其洋葱站点的引用，其中包含与该受害者关联的唯一密钥（令牌）。

Lastly, a the dropped file CriticalBreachDetected.pdf is dropped in the encrypted folder containing the ransomware note.
最后，将删除的文件 CriticalBreachDetected.pdf 放入包含勒索软件注释的加密文件夹中。

YARA 雅苑

/*
MIT License
Copyright 2023 ShadowStackRe.com
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/
rule RhysidaRansomware {
    meta:
      description = "rule to detect Rhysida Ransomware"
      author = "ShadowStackRe.com"
      date = "2023-12-12"
      Rule_Version = "v1"
      malware_type = "ransomware"
      malware_family = "Rhysida"
      License = "MIT License, https://opensource.org/license/mit/"
    strings:
      $strShadowCopy = " vssadmin.exe Delete Shadows"
      $strRhsyida01 = "Rhysida-0.1"
      $strRhysida = "rhysida"
      $strRegKey1 = "cmd.exe /c reg delete \"HKCU\\Contol Panel\\Desktop"
      $strRegKey2 = "Policies\\ActiveDesktop\" /v NoChangingWallPaper"
      $strRunDll32 = "rundll32.exe user32.dll,UpdatePerUserSystemParameters"
      $strPDF = "CriticalBreachDetected.pdf"
    condition:
      all of them
}