Analytics Story: Rhysida Ransomware

Date: 2023-12-12 ID: 0925ee49-1185-4484-94ac-7867764a9183 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Utilize analytics designed to identify and delve into atypical behaviors, potentially associated with the Rhysida Ransomware. Employing these searches enables the detection of irregular patterns or actions within systems or networks, serving as proactive measures to spot potential indicators of compromise or ongoing threats. By implementing these search strategies, security analysts can effectively pinpoint anomalous activities, such as unusual file modifications, deviations in system behavior, that could potentially signify the presence or attempt of Rhysida Ransomware infiltration. These searches serve as pivotal tools in the arsenal against such threats, aiding in swift detection, investigation, and mitigation efforts to counter the impact of the Rhysida Ransomware or similar malicious entities.

Why it matters

This story addresses Rhysida ransomware. Rhysida Ransomware emerges as a silent predator, infiltrating systems stealthily and unleashing havoc upon its victims. Employing sophisticated encryption tactics, it swiftly locks critical files and databases, holding them hostage behind an impenetrable digital veil. The haunting demand for ransom sends shockwaves through affected organizations, rendering operations inert and plunging them into a tumultuous struggle between compliance and resilience. Threat actors leveraging Rhysida ransomware are known to impact "targets of opportunity," including victims in the education, healthcare, manufacturing, information technology, and government sectors. Open source reporting details similarities between Vice Society activity and the actors observed deploying Rhysida ransomware. Additionally, open source reporting has confirmed observed instances of Rhysida actors operating in a ransomware-as-a-service (RaaS) capacity, where ransomware tools and infrastructure are leased out in a profit-sharing model. Any ransoms paid are then split between the group and the affiliates.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
CMD Carry Out String Command Parameter Windows Command Shell, Command and Scripting Interpreter Hunting
Cmdline Tool Not Executed In CMD Shell Command and Scripting Interpreter, JavaScript TTP
Common Ransomware Extensions Data Destruction Hunting
Common Ransomware Notes Data Destruction Hunting
Deleting Shadow Copies Inhibit System Recovery TTP
Detect PsExec With accepteula Flag Remote Services, SMB/Windows Admin Shares TTP
Detect Rare Executables User Execution Anomaly
Detect Renamed PSExec System Services, Service Execution Hunting
Disable Logs Using WevtUtil Indicator Removal, Clear Windows Event Logs TTP
Domain Account Discovery With Net App Domain Account, Account Discovery TTP
Domain Controller Discovery with Nltest Remote System Discovery TTP
Domain Group Discovery With Net Permission Groups Discovery, Domain Groups Hunting
Elevated Group Discovery With Net Permission Groups Discovery, Domain Groups TTP
Excessive Usage Of Net App Account Access Removal Anomaly
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
High Process Termination Frequency Data Encrypted for Impact Anomaly
Malicious Powershell Executed As A Service System Services, Service Execution TTP
Modification Of Wallpaper Defacement TTP
Net Localgroup Discovery Permission Groups Discovery, Local Groups Hunting
NLTest Domain Trust Discovery Domain Trust Discovery TTP
Ntdsutil Export NTDS NTDS, OS Credential Dumping TTP
PowerShell 4104 Hunting Command and Scripting Interpreter, PowerShell Hunting
Ransomware Notes bulk creation Data Encrypted for Impact Anomaly
SAM Database File Access Attempt Security Account Manager, OS Credential Dumping Hunting
Scheduled Task Deleted Or Created via CMD Scheduled Task, Scheduled Task/Job TTP
SecretDumps Offline NTDS Dumping Tool NTDS, OS Credential Dumping TTP
Spike in File Writes None Anomaly
Suspicious Process File Path Create or Modify System Process TTP
Suspicious wevtutil Usage Clear Windows Event Logs, Indicator Removal TTP
System User Discovery With Whoami System Owner/User Discovery Hunting
Windows Modify Registry NoChangingWallPaper Modify Registry TTP
Windows PowerView AD Access Control List Enumeration Domain Accounts, Permission Groups Discovery TTP
Windows PowerView Constrained Delegation Discovery Remote System Discovery TTP
Windows PowerView Kerberos Service Ticket Request Steal or Forge Kerberos Tickets, Kerberoasting TTP
Windows PowerView SPN Discovery Steal or Forge Kerberos Tickets, Kerberoasting TTP
Windows PowerView Unconstrained Delegation Discovery Remote System Discovery TTP
Windows Rundll32 Apply User Settings Changes System Binary Proxy Execution, Rundll32 TTP
WinRM Spawning a Process Exploit Public-Facing Application TTP
Detect Zerologon via Zeek Exploit Public-Facing Application TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 5 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4663 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log System 7045 Windows icon Windows xmlwineventlog XmlWinEventLog:System

References

Source: GitHub | Version: 1