Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Essential information
- Published
- 10/10/2024 08:17
- Modified
- 10/10/2024 08:43
- Tags
- 2024-10-10 backdoor chrgetpdsi cleanuploader early detection extortion infrastructure multi-tiered portstarter ransomware rhysida seo poisoning
- Related entities
- 106 observables, 1 intrusion sets (apt), 14 techniques (mitre), 4 malware
Description
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification, averaging 30 days before their appearance on extortion sites. CleanUpLoader, a backdoor associated with Rhysida, is often distributed as fake software installers for popular applications, signed with valid digital certificates. The analysis demonstrates the potential for early ransomware activity detection using network intelligence, applicable to various ransomware groups with detectable infrastructure.