Rhysida Ransomware Attack Demo
Learn how to protect your organization from Rhysida ransomware.
This episode of the Juniper Threat Labs attack demo series is about the Rhysida Ransomware, how it has infected several organizations, and how the ransomware infection works. Following the demo, Juniper shows how its Juniper Connected Security customers with an SRX and Juniper ATP are already protected from this threat.
For more information about Juniper Threat Labs, visit: https://threatlabs.juniper.net/home/#/
You’ll learn
How Rhysida ransomware infiltrates and impacts infected organizations
How to protect against this threat with Juniper’s SRX firewall and ATP cloud-based anti-malware solution
Who is this for?
Host
Transcript
0:00 Welcome to the Juniper Threat Labs Attack
0:02 Demo series.
0:03 For this demo, we will be talking about Rhysida
0:06 ransomware.
0:07 This video will demonstrate how this ransomware
0:09 group works.
0:10 Afterwards, we'll show you how Juniper Networks
0:13 customers can be protected.
0:15 In May 2023, MalwareHunterTeam tweeted about
0:19 a new ransomware gang named Rhysida.
0:21 At that time, the gang does not claim any
0:24 infected organization.
0:25 However, shortly thereafter, Rhysida ransomware
0:29 gang claimed to have infected the Caribbean island
0:31 of Martinique
0:32 In a notice, the council that runs Martinique
0:35 said a cyber-attack heavily disrupted the activities of the
0:39 community and directly impacted users and partners.
0:43 This incident marked the initial episode of
0:46 several organizations that Rhysida claimed to have infected.
0:49 Not long after that, they claimed to have
0:52 infected a school in Illinois and then the Chilean Army.
0:55 Subsequently, they targeted additional institutions,
1:00 including universities, hospitals, healthcare organizations, and even government entities.
1:06 One of their latest hack involves the claim
1:08 of infecting Insomniac Games.
1:10 They have issued a threat to leak 1.67 terabytes
1:14 of data unless Insomnia Games complies with their
1:17 ransom demand.
1:18 Usually when ransomware groups breach systems,
1:22 they employ a tactic known as double extortion.
1:24 This involves demanding a ransom payment to
1:27 decrypt victim data, coupled with a threat to release or
1:30 auction the stolen data unless the ransom is paid.
1:33 Typically, they create a leak site hosted
1:35 on TOR networks, using TOR for anonymity, making it
1:39 challenging to trace the origin of the traffic on their leak site.
1:42 They publish a list of organizations they
1:44 claim to have infected, and currently the claim extends to 71
1:49 organizations.
1:50 Furthermore, they post samples of stolen data
1:52 as a proof of their successful hack.
1:54 Their most recent claim at the time this video
1:57 is created involves a university.
1:59 The university is issued an ultimatum, which
2:01 in this case is less than six days left to pay a ransom of
2:05 eight bitcoins.
2:06 For those willing to comply, they provide
2:08 convenient links to Coinbase and Binance, facilitating the
2:11 purchase of the required bitcoins at the current exchange rate.
2:15 With one Bitcoin valued at 42,908 U.S.
2:18 dollars, the ransom demanded from the university
2:22 totals 343,264 U.S.
2:24 dollars.
2:26 These recent attacks prompted both CISA and
2:30 the FBI to issue advisories on Rhysida ransomware.
2:33 In CISA's Stop Ransomware Cybersecurity Advisory,
2:36 they highlighted that receipt of ransomware is
2:38 known for targeting various sectors opportunistically, including education, healthcare, manufacturing,
2:44 information technology and government.
2:47 The advisory also provides technical insights
2:52 such as Rhysida initial access methods, specifically its
2:55 utilization of remote services like VPNs to access networks.
3:00 Additionally, they exploit vulnerabilities
3:02 like Zerologon to elevate privileges and engage in phishing
3:06 attacks.
3:07 Once inside a network, Rhysida employs living
3:10 off the land techniques to navigate and conduct its
3:13 operations.
3:14 Among the tools in their arsenal are PowerShell,
3:17 PS Exec, RDP, Putty, Port Starter, SecretsDump, NTDS,
3:23 Util, AnyDesk, Windows Event utility Tool, and PowerView.
3:28 Notably, the ransomware appends .rhysida extension
3:34 to all the files it encrypts.
3:37 Now, let's walk through how the ransomware
3:41 infection works.
3:42 In this demonstration, we'll be using Kali
3:45 Linux to host our malware.
3:47 Using PowerShell, we'll download and execute
3:50 the ransomware on our target system running Windows.
3:57 Once the command is executed, we'll launch
4:04 a process monitor to gain visibility into what is
4:06 happening in the background.
4:11 As observed, powershell.exe instantiates and within a few seconds it
4:15 spawns a new process named Rhysida.exe.
4:17 Notably, Rhysida.exe is running with high
4:21 CPU usage as it has started encrypting files on the system.
4:28 Specifically, files within the Python folder
4:36 have already been encrypted and now appended with
4:39 .rhysida extension.
4:41 The ransomware has also dropped a PDF file,
4:46 CriticalBreachDetected.pdf serving as the ransom note.
4:51 Upon opening the PDF file, it reveals the
4:56 secret key necessary for inputting on their leak site.
5:04 Once it completes encrypting all files, the
5:12 ransomware modifies the desktop screen to display the
5:15 ransom note.
5:21 Visibly, our desktop files are encrypted and
5:29 opening them shows that they contain gibberish data.
5:32 Let's now look and see whether or not this
5:34 attack works as successfully with a Juniper SRX firewall
5:38 enhanced with protection from Juniper's cloud based advanced anti malware solution, Juniper
5:43 ATP.
5:44 For the demo, Juniper Threat Labs is using
5:46 the following setup.
5:48 We have a VSRX pictured in the center.
5:51 The VSRX is a virtual SRX firewall providing
5:55 network security protection.
5:57 Its purpose is to inspect network traffic
5:59 and to detect malware with the assistance of Juniper ATP
6:03 Cloud.
6:04 In addition to the virtual firewall and cloud
6:06 based protections, we are using Juniper Security Director
6:11 which is a centralized management system.
6:14 It is used to facilitate our configuring and
6:17 monitoring of the VSRX firewall and we are using Juniper's
6:21 Policy Enforcer as well.
6:23 Policy Enforcer is a user intent based tool
6:26 that automates threat management, policy updates and
6:29 distribution across Juniper and 3rd party network devices.
6:32 It helps automate threat remediation and micro
6:35 segmentation of policies across the network.
6:38 We also have several Windows workstations,
6:40 each of which is connected to the VSRX.
6:42 Finally, we have an Ubuntu server acting as
6:46 the malware download server where we host our
6:49 ransomware.
6:50 Before we proceed and attempt to simulate
6:51 this attack with Juniper Connected Security Solutions in
6:54 place providing protection, let's first take a look at the threat prevention policy that
7:00 we've set up on our Security Director and applied to the VSRX.
7:04 To access the policy, we'll navigate to the
7:08 Configure tab and then we select Threat Prevention and
7:12 Policies.
7:13 As you can see, we already have an existing
7:16 policy in place.
7:18 Let's further inspect the protections being
7:20 enforced by the applied policy.
7:22 For this demo, our policies are configured
7:25 to block command and control traffic at threat level 8 and
7:28 above.
7:29 We've also set it up to block infected hosts
7:32 at threat level 8 and above.
7:34 Additionally, we've configured our policy
7:37 to use ATP Cloud from malware detection and as you can
7:42 see, we've elected to scan HTTP Downloads and block threats at level 7 and above.
7:48 This threat prevention policy implied to the
7:51 VSRX firewall is a critical component of our defenses,
7:56 protecting our systems against malware related attacks.
7:59 It allows us to detect and block malicious
8:01 traffic as well as the activity of potentially infected hosts,
8:05 which will then prevent the spread of malware throughout our network in the event that one
8:09 of our systems gets compromised.
8:11 With that, let's proceed with the attack using
8:15 Juniper Connected Security.
8:16 To get started, we'll connect to our target
8:19 system and open the command prompt where we will
8:22 execute the PowerShell attack.
8:24 We will also open Wireshark to have a visibility
8:27 of the network traffic.
8:37 After launching our attack, we look at http://downloads
8:49 from Wireshark.
8:50 Notice that there is a GET request for Rhysida.exe.
8:54 However, further inspection of the TCP stream
8:59 reveals that the request returned, This request has
9:02 been blocked due to possible malware detection .
9:05 We can verify that by navigating the download
9:13 directory
9:25 and we can see that we cannot execute the file Rhysida.exe as it is not a valid executable
9:30 file.
9:31 This shows that the SRX was able to successfully
9:34 block the malware.
9:36 We can verify this in the Security Director
9:38 by navigating to Monitor > Threat Prevention and >HTTP
9:42 File Download.
9:44 Here, the file Rhysida.exe is flagged with
9:51 a threat level of 10.
9:52 According to our policy we configured earlier,
9:56 threats with threat level 7 and above will be blocked.
10:00 We can find more details about this file when
10:02 we clicked on it, such as the URL and the host where this
10:05 malicious activity was detected.
10:08 We can also see more information such as behavior
10:11 analysis, network activity, and behavior details, as
10:26 well as the MITRE attack matrix.
10:28 It's crucial to emphasize that Juniper ATP
10:31 determines the threat level of a file through machine
10:34 learning utilizing the gathered information.
10:36 This means it doesn't rely on specific signatures,
10:41 providing a dynamic and adaptive approach to
10:43 identifying potential threats.
10:44 Note that while the attack was unsuccessful,
10:47 recall that the security policy being enforced on the VSRX
10:51 locks host network activity when it detects threats at level 8 and above.
10:55 When we clicked on ATP cloud hosts, we can
10:58 see that the IP 10.0.1.40 is flagged at threat level 9.
11:03 This threat level score is determined by multiple
11:06 factors such as malicious activities by that host
11:09 including malware downloads and command and control connections.
11:12 This host then is now included in the infected
11:15 hosts feed.
11:16 What this means is that this host is now isolated
11:20 and disconnected from the network temporarily.
11:23 As it shows here, we do not have Internet
11:27 connection as we visit a couple of websites.
11:33 Clicking at this host provides us with more
11:37 details on why it is blocked, which in this case the host
11:41 attempted to download a malicious files with threat level 10.
11:45 Once the admin is sure that the host or server
11:48 is indeed free from infection, she can first select the
11:51 host and then under the Investigation Status section, she can select Resolved Fixed , which
11:56 changes the status of this host to clean
12:04 and exclude this host from the infected host's feed.
12:10 After a few moments, this host will be connected
12:13 back to the network again.
12:15 We can verify that on the host by browsing
12:17 the net.
12:23 That completes our demo of Rhysida ransomware.
12:30 Check out more videos from the Juniper Threat
12:33 Labs attack demo series by visiting juniper.net.
12:35 Thanks for watching.