Rhysida Ransomware

A painful sting for Insomniac Games

Threat Landscape

On December 12th 2023 Rhysida claimed to have penetrated and encrypted Insomniac Games from Burbank, California. The studio founded in 1994 and currently owned by Sony Interactive Entertainment, has been responsible for such hits as the recently released 'Marvel's Spider-man' series and the 'Ratchet & Clank' series.

The gang has set the price at 50 BTC and a time limit of 7 days.

The leak site contains the latest victims and the ability to submit a victim token.

On November 15th, CISA.gov posted an alert about Rhysida. This report contains a number of tactics, techniques and tooling that the ransomware gang uses. cisa.gov report

Keypoints

  • Use of scheduled tasks for persistence
  • Uses CHC hash and AES block ciphers for encryption
  • Drops the ransomware note as a PDF

Build information

Hashes

The file was first submitted to VirusTotal on November 18th 2023 , and at the time of this analysis the last submission was December 8th 2023 .

  • b55ecbddcbed916481ad537807cd3e33cb71814be6ce8e03eb63b629ccb8c692 | VirusTotal

Compiler

The sample was compiled using MinGW 6.3 and is a 64-bit executable of 497KB in size.

Section Segments

The section segments contains a fairly high .data section which is 119.2KB in size with an entropy of 7 . This is interesting considering the size of the overall binary.

Tactics and Techniques

The main functions control flow has a large nested if block starting at address text:0000000000419378 that is fairly unique, this nested block makes use of the number of processors found, to setup up the thread pool required to faciliate the encryption process and getting a reference to the cryptographic handler.

Within this nested if block, the _beginthreadex() call is used to start new threads bound by the number of processors found and a short 10 millisecond sleep trap was added inside of a loop. This tight loop utilizes the synchapi.h to handle eventing between threads.

The main program flow continues on to setup the file walker for file and directory discovery and ensuring both the scheduled tasks and commands for deleting the sample from disk.

Determine number of CPUs

The number of processors are obtained via the GetSystemInfo() call. The structure returned contains a member called dwNumberOfProcessors which is used throughout the sample to determine thread pool sizes used for the overall encryption process.

If the number of processors is greater than 8, the value is set to 8.

Schedule task persistence

The sample setups schedule tasks to facilitate persistence. The scheduled tasks are broken up into multiple commands.

  • The first command is used to create a new schedule tasks called Rhsd to launch the payload again upon startup utilizing the ONSTART option.
  • The second command is used to run the task Rhsd using the current user accounts permissions.
  • The third command is used to delete the schedule task if the system has already been compromised.

Inhibit system recovery

The sample will clear the event logs by utilizing the cmd.exe and the wevtutil.exe programs. The sample will wait until the events are cleared before returning back to the execution of the malware. The vssadmin.exe is used to delete shadow copies, this occurs after the system is compromised.

Directory and file discovery

The sample is configured to skip files by extension. The typical file extensions found below are commonly skipped by ransomware payloads with the primary objective of keeping system stability functional.

.bat
.bin
.cab
.cmd
.com
.cur
.diagcab
.diagcfg
.diagpkg
.drv
.dll
.exe
.hlp
.hta
.ico
.msi
.ocx
.ps1
.psm1
.scr
.sys
.ini
.Thumbs.db
.url
.iso

The sample will iterate through each file and attempt to determine if the file is valid for processing by using the _stat64() call and then inspecting the st_mode parameter for a potential regular file, directory, character device or pipe.

Encryption library

The sample will attempt to get a handle to the Microsoft cryptographic next gen API and call the CryptGenRandom() to create entropy.

The malware has statically linked references to libtommath and is used throughout the main function and subroutines to facilitate the setup of the encryption process. https://github.com/libtom/libtommath

The sample will utilize both AES for the block cipher and the chc_hash that is needed to facilitate the public RSA key.

Lastly the sample will encrypt files and append the rhysida extension.

Defacement

The sample will modify the system registery via cmd.exe to update the wallpaper with the ransomware note. Once the registry keys are changed, the malware will force an update using the command rundll32.exe user32.dll,UpdatePerUserSystemParameters.

The sample attempts to open the windows font file for Arial.ttf for use in the ransom note.

The ransomware note contains the typical scare tactics seen in other ransomware notes and a reference to their onion site with a unique secret key (token) associated with this victim.

Lastly, a the dropped file CriticalBreachDetected.pdf is dropped in the encrypted folder containing the ransomware note.

YARA

/*
MIT License
Copyright 2023 ShadowStackRe.com
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/
rule RhysidaRansomware {
    meta:
      description = "rule to detect Rhysida Ransomware"
      author = "ShadowStackRe.com"
      date = "2023-12-12"
      Rule_Version = "v1"
      malware_type = "ransomware"
      malware_family = "Rhysida"
      License = "MIT License, https://opensource.org/license/mit/"
    strings:
      $strShadowCopy = " vssadmin.exe Delete Shadows"
      $strRhsyida01 = "Rhysida-0.1"
      $strRhysida = "rhysida"
      $strRegKey1 = "cmd.exe /c reg delete \"HKCU\\Contol Panel\\Desktop"
      $strRegKey2 = "Policies\\ActiveDesktop\" /v NoChangingWallPaper"
      $strRunDll32 = "rundll32.exe user32.dll,UpdatePerUserSystemParameters"
      $strPDF = "CriticalBreachDetected.pdf"
    condition:
      all of them
}
Previous
Previous

Cactus Ransomware

Next
Next

Qilin Ransomware