SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rhysida (Back to overview)

Rhysida

There is no description at this point.

References
2023-11-15FortinetAndrew Nicchi, John Simmons, Amey Gat, Mark Robson
@online{nicchi:20231115:investigating:f9d3365, author = {Andrew Nicchi and John Simmons and Amey Gat and Mark Robson}, title = {{Investigating the New Rhysida Ransomware}}, date = {2023-11-15}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/investigating-the-new-rhysida-ransomware}, language = {English}, urldate = {2023-11-22} } Investigating the New Rhysida Ransomware
Rhysida
2023-10-26Avast DecodedThreat Research Team
@online{team:20231026:rhysida:08ca4b6, author = {Threat Research Team}, title = {{Rhysida Ransomware Technical Analysis}}, date = {2023-10-26}, organization = {Avast Decoded}, url = {https://decoded.avast.io/threatresearch/rhysida-ransomware-technical-analysis/}, language = {English}, urldate = {2023-10-30} } Rhysida Ransomware Technical Analysis
Rhysida
2023-08-09BleepingComputerBill Toulas
@online{toulas:20230809:rhysida:07e5cfb, author = {Bill Toulas}, title = {{Rhysida ransomware behind recent attacks on healthcare}}, date = {2023-08-09}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/rhysida-ransomware-behind-recent-attacks-on-healthcare/}, language = {English}, urldate = {2023-08-25} } Rhysida ransomware behind recent attacks on healthcare
Rhysida
2023-08-09Trend MicroTrend Micro Research
@online{research:20230809:overview:973753a, author = {Trend Micro Research}, title = {{An Overview of the New Rhysida Ransomware Targeting the Healthcare Sector}}, date = {2023-08-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html}, language = {English}, urldate = {2023-08-10} } An Overview of the New Rhysida Ransomware Targeting the Healthcare Sector
Rhysida
2023-08-08Cisco TalosCisco Talos
@online{talos:20230808:what:0316750, author = {Cisco Talos}, title = {{What Cisco Talos knows about the Rhysida ransomware}}, date = {2023-08-08}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/rhysida-ransomware/}, language = {English}, urldate = {2023-08-10} } What Cisco Talos knows about the Rhysida ransomware
Rhysida
2023-08-08CheckpointCheckpoint Research
@online{research:20230808:rhysida:d28daad, author = {Checkpoint Research}, title = {{THE RHYSIDA RANSOMWARE: ACTIVITY ANALYSIS AND TIES TO VICE SOCIETY}}, date = {2023-08-08}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/}, language = {English}, urldate = {2023-08-10} } THE RHYSIDA RANSOMWARE: ACTIVITY ANALYSIS AND TIES TO VICE SOCIETY
Rhysida
2023-08LinkedIn (PRODAFT)PRODAFT
@online{prodaft:202308:organic:4714845, author = {PRODAFT}, title = {{An organic relationship between the #Rhysida and #ViceSociety ransomware teams}}, date = {2023-08}, organization = {LinkedIn (PRODAFT)}, url = {https://www.linkedin.com/posts/prodaft_organic-relationship-between-rhysida-vice-activity-7091777236663427072-NQEs}, language = {English}, urldate = {2023-08-10} } An organic relationship between the #Rhysida and #ViceSociety ransomware teams
Rhysida
2023-06-29SentinelOneAlex Delamotte, Jim Walter
@online{delamotte:20230629:rhysida:bd98b88, author = {Alex Delamotte and Jim Walter}, title = {{Rhysida Ransomware | RaaS Crawls Out of Crimeware Undergrowth to Attack Chilean Army}}, date = {2023-06-29}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/rhysida-ransomware-raas-crawls-out-of-crimeware-undergrowth-to-attack-chilean-army/}, language = {English}, urldate = {2023-07-05} } Rhysida Ransomware | RaaS Crawls Out of Crimeware Undergrowth to Attack Chilean Army
Rhysida
2023-05-23SecplicityRyan Estes
@online{estes:20230523:scratching:a781f78, author = {Ryan Estes}, title = {{Scratching the Surface of Rhysida Ransomware}}, date = {2023-05-23}, organization = {Secplicity}, url = {https://www.secplicity.org/2023/05/23/scratching-the-surface-of-rhysida-ransomware/}, language = {English}, urldate = {2023-06-19} } Scratching the Surface of Rhysida Ransomware
Rhysida
Yara Rules
[TLP:WHITE] win_rhysida_auto (20230715 | Detects win.rhysida.)
rule win_rhysida_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.rhysida."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rhysida"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 498d4c2430 e8???????? 498d4c2448 e8???????? 498d4c2460 e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   498d4c2430           | mov                 ecx, eax
            //   e8????????           |                     
            //   498d4c2448           | mov                 eax, dword ptr [ebp - 8]
            //   e8????????           |                     
            //   498d4c2460           | imul                eax, dword ptr [ebp + 0x28]
            //   e8????????           |                     

        $sequence_1 = { c1f808 4189c1 4c8b45a0 488b45a0 488d50fc 8b02 8d4801 }
            // n = 7, score = 100
            //   c1f808               | je                  0xa0c
            //   4189c1               | dec                 esp
            //   4c8b45a0             | mov                 edx, esp
            //   488b45a0             | mov                 eax, 0xfffffffd
            //   488d50fc             | inc                 ebp
            //   8b02                 | test                ebx, ebx
            //   8d4801               | je                  0xa0e

        $sequence_2 = { f30f10858c000000 8b9588000000 488d45e0 488d4dc8 48894c2438 488d4dcc 48894c2430 }
            // n = 7, score = 100
            //   f30f10858c000000     | dec                 eax
            //   8b9588000000         | cwde                
            //   488d45e0             | movss               xmm0, dword ptr [ebp + 0x1b0]
            //   488d4dc8             | movss               dword ptr [ebp + eax*4 + 0xa0], xmm0
            //   48894c2438           | jmp                 0x277
            //   488d4dcc             | mov                 eax, dword ptr [ebp + 0xb8]
            //   48894c2430           | dec                 eax

        $sequence_3 = { 488d1591430500 488d0d02440500 e8???????? eb01 90 837db800 7e06 }
            // n = 7, score = 100
            //   488d1591430500       | inc                 ecx
            //   488d0d02440500       | shr                 ebp, 0x18
            //   e8????????           |                     
            //   eb01                 | shr                 ecx, 0x10
            //   90                   | inc                 esi
            //   837db800             | xor                 edi, dword ptr [ebp + ebp*4]
            //   7e06                 | movzx               esi, cl

        $sequence_4 = { f30f59c2 f30f58c1 f30f114550 f30f108518010000 f30f598518010000 0f2e4550 7616 }
            // n = 7, score = 100
            //   f30f59c2             | movss               dword ptr [eax], xmm0
            //   f30f58c1             | cvtsi2ss            xmm0, dword ptr [ebp - 0x20]
            //   f30f114550           | addss               xmm0, dword ptr [ebp - 4]
            //   f30f108518010000     | dec                 eax
            //   f30f598518010000     | mov                 eax, dword ptr [ebp + 0x40]
            //   0f2e4550             | movss               dword ptr [eax + 4], xmm0
            //   7616                 | dec                 eax

        $sequence_5 = { e8???????? 6683f801 740a b800000000 e9???????? 488b45e8 4883c002 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   6683f801             | movd                eax, mm0
            //   740a                 | fld                 xword ptr [esp + 0x50]
            //   b800000000           | dec                 eax
            //   e9????????           |                     
            //   488b45e8             | shr                 eax, 0x20
            //   4883c002             | test                eax, eax

        $sequence_6 = { 4489c7 4963f1 48833b00 0f8473030000 4885ed 0f8451030000 4585c0 }
            // n = 7, score = 100
            //   4489c7               | mov                 dword ptr [eax], edx
            //   4963f1               | mov                 edx, 0
            //   48833b00             | dec                 eax
            //   0f8473030000         | lea                 eax, [0x564c8]
            //   4885ed               | dec                 eax
            //   0f8451030000         | mov                 edx, eax
            //   4585c0               | dec                 eax

        $sequence_7 = { e8???????? 8b45ec 85c0 7519 488b4510 41b800000000 ba00000000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b45ec               | mov                 eax, dword ptr [eax + 0x28]
            //   85c0                 | add                 eax, 1
            //   7519                 | dec                 eax
            //   488b4510             | cwde                
            //   41b800000000         | dec                 eax
            //   ba00000000           | lea                 edx, [eax*8]

        $sequence_8 = { c1f802 89c2 89d0 01c0 01d0 89458c 8b458c }
            // n = 7, score = 100
            //   c1f802               | push                ebp
            //   89c2                 | inc                 ecx
            //   89d0                 | push                esp
            //   01c0                 | push                ebp
            //   01d0                 | push                edi
            //   89458c               | push                esi
            //   8b458c               | push                ebx

        $sequence_9 = { 7e12 4c8b6e10 4b8b4c3d00 48f7d1 4821e9 4c01f1 4921e9 }
            // n = 7, score = 100
            //   7e12                 | jne                 0x30
            //   4c8b6e10             | inc                 ecx
            //   4b8b4c3d00           | movzx               ecx, byte ptr [edx + 7]
            //   48f7d1               | dec                 ecx
            //   4821e9               | add                 edx, 8
            //   4c01f1               | add                 ecx, 1
            //   4921e9               | inc                 ecx

    condition:
        7 of them and filesize < 2369536
}
Download all Yara Rules