How Recorded Future finds ransomware victims before they are affected

Posted on by Vaseline

Threat intelligence specialist Recorded Future has revealed details of how it can now find and alert future victims of the Rhysida ransomware gang before it has a chance to deploy its ransomware locker.

Rhysida, perhaps best known in Britain for the attack on the British Library in late 2023, has been active since around January 2023, running a standard double extortion, ransomware-as-a-service. It operates in various sectors, although it seems to focus mainly on education and healthcare organizations.

Now, a new early detection technique developed at Recorded Future could prove to be a potential game-changer in the fight against ransomware, according to Insikt Group’s internal research team.

“Insikt Group found that Rhysida victims could be tracked for an average of 30 days before appearing on public extortion sites. Monitoring Rhysida’s infrastructure… made this detection possible,” they wrote.

“The average time between initial infection and ransomware deployment provides defenders with a critical window to respond. By identifying network communications and other indicators of compromise (IoCs) early, security teams can act quickly to neutralize threats before the attackers can encrypt data or demand a ransom.”

Anatomy of a Rhysida attack

Rhysida uses a multi-layered infrastructure to facilitate its attacks – creating typosquatting domains enhanced with SEO poisoning techniques to trick targets into visiting a payload server hosting a backdoor malware known as CleanUpLoader.

CleanUpLoader is a particularly versatile backdoor that usually comes as a fake installer for a legitimate piece of software. Google Chrome and Microsoft Teams are highly regarded in this regard because they are so widely used that more people are likely to click on them.

Once operational on the target system, CleanUpLoader serves to facilitate persistence – with multiple command-and-control (C2) domains in the configuration, it can quickly switch to another if one goes offline or is compromised – buying Rhysida time to recover the domains data to be exfiltrated from their target.

The gang also runs a higher-level management infrastructure consisting of an admin panel, which is likely used to run CleanUpLoader’s C2 operation. Rhysida employees log into this panel at their endpoints, just as if they were a normal employee logging into an online work tool. This panel is usually linked to a specific domain; the Insikt Group found several used at different times.

The management layer also includes an open source Zabbix server that connects to the admin panel. This is likely used for infrastructure monitoring, and the default language is unsurprisingly set to Russian.

Residence times

All of these activities occur in the period between when Rhysida first gains access to the target environment and when the ransomware is executed. By taking advantage of the dwell time required to perform these various tasks and monitoring and capturing the traffic flowing out of the C2 infrastructure, the Insikt Group has been able to stay ahead of the pack.

“Of the eleven victims Rhysida listed on its extortion site in July 2024, seven – more than 60% – showed early signs of infection through beaconing to CleanUpLoader C2 servers,” the Insikt Group team wrote.

“On average, more than 30 days elapsed between these victim organizations’ initial beaconing to the CleanUpLoader C2 servers and the day they appeared on the extortion site.”

The team said they were also able to detect traffic from a wide range of other organizations to and from the CleanUpLoader C2 infrastructure, allowing them to make a fairly informed guess that these organizations may soon appear on the Rhysida extortion site.

“This early detection method can in theory be applied to any ransomware group and its victims, provided its infrastructure can be detected and then combined with Recorded Future Network Intelligence. Achieving this depends on two key factors: timeliness and the breadth of malicious infrastructure detected,” the team said.

“As ransomware groups often use a mix of commercially available and custom tools and are constantly changing and evolving them, it is essential to quickly identify the reach of these tools by monitoring the threat landscape and developing and maintaining effective detections.

“Additionally, timeliness is critical, and our higher-level infrastructure insights are critical because they allow us to quickly detect and identify emerging infrastructure, complementing traditional hunting methods.”

Avatar for Vaseline
Vaseline https://newspowergreen.biz.id

You May Also Like

More From Author