Recorded Future has shared intriguing insights into how it can now spot potential victims of the Rhysida ransomware gang before they face an attack. Rhysida has been on the radar since early 2023, notably for its late-2023 strike on the British Library. This group operates a typical double extortion model and largely targets education and healthcare sectors.
The Insikt Group at Recorded Future discovered they could identify potential Rhysida victims an average of 30 days before these organizations appeared on public extortion sites. By closely monitoring Rhysida’s unique infrastructure, they tapped into early detection signals. The key insight here? There’s a crucial time gap between when attackers first breach a system and when they deploy their ransomware. This gap gives security teams a vital opportunity to neutralize threats before any data is compromised or ransom demands are made.
So how does Rhysida execute its attacks? They utilize a complex multi-layered approach. This involves creating fake domains with SEO tricks to lure targets into downloading a backdoor malware called CleanUpLoader. Often disguised as legitimate software like Google Chrome or Microsoft Teams, this malware is designed to maximize the chances of being clicked by unsuspecting users.
Once CleanUpLoader is on a victim’s system, it maintains persistence. It’s able to shift between different command-and-control (C2) domains quickly if one gets disrupted, allowing Rhysida to buy time while they extract sensitive data. The gang also manages their operations through an admin panel, much like an employee using everyday work software, giving them a seemingly normal entry point to run their activities. The setup includes an open source Zabbix server for infrastructure monitoring—and, interestingly, its default language is Russian.
All this action unfolds in the period leading up to the ransomware deployment. Insikt Group focuses on detecting the traffic from C2 infrastructure during this “dwell time.” In July 2024, they noted that of the 11 victims Rhysida listed on its extortion site, over 60% exhibited early signs of infection before being publicly named. The average lag time between the first signs of infection and public listing was more than 30 days.
The team has also tracked various organizations communicating with CleanUpLoader’s C2 infrastructure, indicating they might be next in line for an attack. This cutting-edge detection method could theoretically extend to any ransomware group, as long as their infrastructure can be identified and monitored.
The effectiveness of this approach hinges on two main factors: timely data collection and extensive detection of malicious infrastructure. Since ransomware groups constantly adapt and evolve their tactics, it’s crucial to stay ahead by monitoring the threat landscape and honing detection methods. Rapid insights into higher-tier infrastructure can complement traditional strategies, enhancing the ability to detect emerging threats swiftly.
