{ "name": "Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis", "slug": "rhysida-ransomware-multi-tiered-infrastructure-and-early-detection-analysis", "description": "Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification, averaging 30 days before their appearance on extortion sites. CleanUpLoader, a backdoor associated with Rhysida, is often distributed as fake software installers for popular applications, signed with valid digital certificates. The analysis demonstrates the potential for early ransomware activity detection using network intelligence, applicable to various ransomware groups with detectable infrastructure.", "published": "2024-10-10T06:17:00+00:00", "created_at": "2024-10-10T06:17:00+00:00", "modified_at": "2024-10-10T06:43:39+00:00", "created_at_opencti": "2024-10-10T06:17:00+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-10-10", "backdoor", "chrgetpdsi", "cleanuploader", "early detection", "extortion", "infrastructure", "multi-tiered", "portstarter", "ransomware", "rhysida", "seo poisoning" ], "related_entities": { "observables": [ { "id": "", "name": "67.217.228.171" }, { "id": "", "name": "67.217.228.136" }, { "id": "", "name": "67.217.228.11" }, { "id": "", "name": "64.95.13.98" }, { "id": "", "name": "64.95.13.77" }, { "id": "", "name": "64.94.84.61" }, { "id": "", "name": "45.66.248.78" }, { "id": "", "name": "51.195.232.46" }, { "id": "", "name": "45.61.136.85" }, { "id": "", "name": "45.61.136.244" }, { "id": "", "name": "45.61.136.48" }, { "id": "", "name": "216.245.184.129" }, { "id": "", "name": "213.109.202.161" }, { "id": "", "name": "206.71.149.46" }, { "id": "", "name": "193.149.190.10" }, { "id": "", "name": "162.33.179.46" }, { "id": "", "name": "162.33.179.222" }, { "id": "", "name": "162.33.178.137" }, { "id": "", "name": "162.33.178.83" }, { "id": "", "name": "162.19.237.181" }, { "id": "", "name": "149.248.78.182" }, { "id": "", "name": "141.255.166.66" }, { "id": "", "name": "139.99.221.140" }, { "id": "", "name": "206.166.251.114" }, { "id": "", "name": "149.248.79.62" }, { "id": "", "name": "64.95.10.243" }, { "id": "", "name": "91.240.118.215" }, { "id": "", "name": "zoom-video.org" }, { "id": "", "name": "webex-up.com" }, { "id": "", "name": "time-check-broker.com" }, { "id": "", "name": "postmastersoriginals.com" }, { "id": "", "name": "pixalate.us" }, { "id": "", "name": "ns-client.net" }, { "id": "", "name": "nnlcrosaftteams-download.pro" }, { "id": "", "name": "microssoft-teams.com" }, { "id": "", "name": "microsoftt-teams.com" }, { "id": "", "name": "microsoftt-teams-download.com" }, { "id": "", "name": "metalforthecoredream.com" }, { "id": "", "name": "itisthebestforyou.eu" }, { "id": "", "name": "heartwithinadream.com" }, { "id": "", "name": "gang-force.com" }, { "id": "", "name": "firscountryours.eu" }, { "id": "", "name": "docsfromthewest.com" }, { "id": "", "name": "crystal-maker.com" }, { "id": "", "name": "crystalmaker.pro" }, { "id": "", "name": "codeforprofessionalusers.com" }, { "id": "", "name": "buydotclearlynet.com" }, { "id": "", "name": "backuppingplanseasy.com" }, { "id": "", "name": "auttodessk.com" }, { "id": "", "name": "autosdesk.net" }, { "id": "", "name": "aut0deskk.com" }, { "id": "", "name": "whereverhomebe.com" }, { "id": "", "name": "prodfindfeatures.com" }, { "id": "", "name": "micrsoft-teams-download.com" }, { "id": "", "name": "yourserenahelpcustom.uk" }, { "id": "", "name": "supfoundrysettlers.us" }, { "id": "", "name": "retdirectyourman.eu" }, { "id": "", "name": "lakeshorehomebuilders.com" }, { "id": "", "name": "basiconlineincome.com" }, { "id": "", "name": "siskollew@onionmail.org" }, { "id": "", "name": "kimigleason@onionmail.org" }, { "id": "", "name": "estelaosinski@onionmail.org" }, { "id": "", "name": "fd22df004b61809b110c6b4cbc9ddeb6df31edaa1f889ed501b4d516869e1efb" }, { "id": "", "name": "f066cff7172a39cf7910142687ec877f428b4a352e16077a2fea712c525e932c" }, { "id": "", "name": "e60cab41b7602209c1660bc518b1f7b639ab45e60bbedf3b23757e4937c24fc4" }, { "id": "", "name": "e45802322835286cfe3993fe8e49a793acd705755d57d8fc007341bf3b842518" }, { "id": "", "name": "e1be0e3707f67d03eaa8ac4b14b8b7cd7fc665f13a15aa8087b34cbde07116fd" }, { "id": "", "name": "d9ffcca98671ccb2ff42d26d98be3b30b636930cc63149895b842f834871ebe3" }, { "id": "", "name": "d80239bb3299b1086f2ad5fc4690973604a770aafc84d21fecf0ae8004be9750" }, { "id": "", "name": "d7ba9881345d71862a68080d210643e2c2d3e17fd13065385edcd3b3391898c3" }, { "id": "", "name": "d4e4deab561d478084ac29751e5073de9b7ffd55fa8b408c5c76fedd3fe02f6c" }, { "id": "", "name": "d40461331f4511c27611f6cba2af831aaa0789990c8387f6ec7bc0bf54b10961" }, { "id": "", "name": "cfe29f17a6a3df92015c8fc4c3d1365b40ab174322791c3643ed6480c1fb4349" }, { "id": "", "name": "c2e7bf349214d1241cecd30748d392d9b585186fe5d38ec4b2b3d3304be206a3" }, { "id": "", "name": "c095497d1144ceca4cbbbeda19952322aa001e61318d6eecd4e97002f3cfc9aa" }, { "id": "", "name": "bd5a37a8d2cdc44d60e5f550eb02e84fe41e380c341c404a4ffb71f9fc057e4a" }, { "id": "", "name": "bb07c89e9eb29817ca8a70f7c9430d5f4ad82eb525472abe8bad1b161a702584" }, { "id": "", "name": "ae939063c8f4ed91848fbdeff3ac98c17b404649706d7a3805c05e686b2e478c" }, { "id": "", "name": "a2263d2af40140370f687f4936ef65b82d5f6c85df9e22dfc05ff677f8650ae1" }, { "id": "", "name": "8bae0fa9f589cd434a689eebd7a1fde949cc09e6a65e1b56bb620998246a1650" }, { "id": "", "name": "8372b173704cf8d8737e426b34efd43fba74c4fcb0a248f6ce72682ebc0bd916" }, { "id": "", "name": "72c7e22177b612254f40c5b5bc1555b5dca86e2e15e0f48551c946972160c2c5" }, { "id": "", "name": "687459d587df273184469f7e707c0e5db8fe4e3d4b15756d666891127851680b" }, { "id": "", "name": "64a45cc8499992de72e4fe8c2a07100e97e333c09c0c004af2b88d8aedcd19f1" }, { "id": "", "name": "5c68fda16039ff29e9bf93c6dac11edbcd111dc8ec29fa499637c43b07039d92" }, { "id": "", "name": "59f9929ed207c31b1d1cdf149ae3bea5d1187453574b405639bbac240ea1b693" }, { "id": "", "name": "47e95a56736031567b2a1663410e635627ca812a2926b37f46f2322bbcbc0238" }, { "id": "", "name": "4adfdd5d066fb1f880f02fdd0118095afdf60d644c5df79f43935cfc3b80640e" }, { "id": "", "name": "47975a0d9299ba46e2f313c6bc9a47a760c3243509660b9edb83ffbd47e3a98b" }, { "id": "", "name": "405486ac746e7dfea797c676ede336fde69cf19cd4249e6d2d8a4d9483617cfe" }, { "id": "", "name": "34605c0dfbabf7ce8836091dc760a073da37f1ab35ef3e33f13117bcf044d07e" }, { "id": "", "name": "2261bce086869cb90502272e933f1f356adc886dd8da83e5197923546827f43e" }, { "id": "", "name": "2660e5a5b38f32e30293b51e6bb7a2e43caca9d4a17619e17c7fbe93f08c0e26" }, { "id": "", "name": "0e8837be7802d9cbc0bf01b7701dcc37f906e075c5cbfbe45804f72eaf624756" }, { "id": "", "name": "0cace05e3f256ad430fa6e5b42763c977f3b6e19b6a4e18e717a9c209cf2ddc1" }, { "id": "", "name": "0b2fc17409949fead98cac2eeb41442dc394225b8b4025c4f6101b73b515d09b" }, { "id": "", "name": "094b9b61f910f45b9896d249e18eec653370da3e80a05f7a86cef57170340f87" }, { "id": "", "name": "0851fd5671640a9acaf688e2886570759364135915f272d4ff7946fe001b3f4c" }, { "id": "", "name": "077f1659add338e217216acd6f284634977c507f5e2df5ac0e08bcadaef8fd64" }, { "id": "", "name": "06dec1d05b77f765b9d12c223d4b7887dc0a526e8d8a790bd2b99346619dc837" }, { "id": "", "name": "05ab428fc0b171957e9144351a7480cfea2f617f20dd23c145736bd0a22eb041" }, { "id": "", "name": "cfc2fe7236da1609b0db1b2981ca318bfd5fbbb65c945b5f26df26d9f948cbb4" }, { "id": "", "name": "9601f3921c2cd270b6da0ba265c06bae94fd7d4dc512e8cb82718eaa24accc43" }, { "id": "", "name": "82b246d8e6ffba1abaffbd386470c45cef8383ad19394c7c0622c9e62128cb94" }, { "id": "", "name": "574c70e84ecdad901385a1ebf38f2ee74c446034e97c33949b52f3a2fddcd822" }, { "id": "", "name": "a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6" } ], "malware": [ { "id": "0153fa9d-8a83-4425-987f-07fd2dc6c903", "name": "PortStarter", "slug": "portstarter" }, { "id": "legacy:malware:c1115f90ba9919be", "name": "ChrGetPdsi", "slug": "chrgetpdsi" }, { "id": "legacy:malware:3cd720878630dd5a", "name": "CleanUpLoader", "slug": "cleanuploader" }, { "id": "521823ae-c6f7-42a6-b643-24d535c7a04b", "name": "Rhysida", "slug": "rhysida" } ], "intrusion_sets": [ { "id": "6b269fa1-6ab6-4e2f-891a-38ae7fbcab92", "name": "Rhysida", "slug": "rhysida" } ], "attack_patterns": [ { "id": "d19f56ca-5ce8-4bd1-af90-7d83e394470c", "name": "T1583.001" }, { "id": "4716a930-cb46-4d50-803a-9e1aaa6be5e9", "name": "T1588.004" }, { "id": "3e7e47ba-d8ad-4aa8-a4fc-1167cec2e125", "name": "T1587.001" }, { "id": "effdd452-1540-48f5-9fff-347c7526f6ba", "name": "T1583.004" }, { "id": "8322caa8-0bb7-4258-810d-d2341cccf818", "name": "T1078.003" }, { "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5", "name": "T1053.005" }, { "id": "320df345-a473-4f17-9588-6cd021c14bd3", "name": "T1583.003" }, { "id": "32b33067-6566-4b8d-be80-e96f765d84de", "name": "T1059.001" }, { "id": "52b92395-d3d3-4e05-976a-0fccccfce8d2", "name": "T1566.002" }, { "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6", "name": "T1204.002" }, { "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1", "name": "T1486" }, { "id": "e46a9411-d2a1-47c9-8820-c7f818f4c0b5", "name": "T1203" }, { "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e", "name": "T1041" }, { "id": "64cdebc9-0fb4-48f2-bf4f-b87f3741f664", "name": "T1068" } ] }, "external_refs": [ "https://go.recordedfuture.com/hubfs/reports/cta-2024-1009.pdf", "https://www.recordedfuture.com/research/outmaneuvering-rhysida-advanced-threat-intelligence-shields-critical-infrastructure-ransomware", "https://otx.alienvault.com/pulse/67078d7cebbee66f1979f6d5" ] }