When someone mentions the term ransomware, the majority of people think about modern types of malware such as CryptoLocker (2013), WannaCry (2017), Petya (2017), or similar. However, the first trace of ransomware was reported in the late 1980s. It was created by Dr. Joseph Popp and it was called IDS Trojan or PC Cyborg.
It targeted MS-DOS systems and was distributed via floppy disk. An IDS Trojan infiltrated the system, encrypting files and demanding a “ransom” to unlock them. The malicious persons instructed the victims to send the payment to a PO Box located in Panama, in exchange for the decryption key.
The goal of IDS Trojan ransomware or any other modern ransomware is the same: to encrypt victims’ data and lock them out, demanding payment for the decryption key. The same applies to Rhysida ransomware, one of the latest ransomware that has stolen documents from private corporations and government institutions, including the Chilean Army.
In this article, we will unpack Rhysida ransomware, explain what it does, and how to protect your business workloads from it.
What is Rhysida Ransomware?
Rhysida is a hacker gang that developed Rhysida ransomware. In May 2023, their name surfaced for the first time, as stated in several security reports. According to the Rhysida group, their goal is to increase awareness of the security vulnerabilities of their targets. However, the truth is different. Just recently, they targeted the Chilean Army, launching an attack that exposed the breach and leaked sensitive information on the dark web.
In addition to that, they took responsibility for an attack on Martinique, a French territorial collectivity that replaced the overseas department and region of Martinique.
How does it work?
Rhysida ransomware is mostly distributed via phishing campaigns.
Based on security reports, it appears that Rhysida is still in the early stages of development, and it’s not without its issues. For instance, during security tests, it was observed that when launching Rhysida ransomware, it attempted to replace the desktop background, but unfortunately, it failed to do so. This behavior indeed seems like a bug in the ransomware.
When you start or execute Rhysica ransomware, it will open a Command Prompt (cmd.exe), and the program will start scanning and accessing all files located on all local drives and encrypting them. When Rhysida encrypts the data, it changes the extension of the files by adding .rhysida as shown in the screenshot below.
Rhysida group wants you to contact them and make payments to them for decrypting back your data. Before making payment they will ask you for a unique identifier provided in ransom PDF files. This PDF file “CriticialBreachDetected.pdf“ is generated and saved in the root of C:\. It contains instructions on how to make a payment and get the decryption key. This is what the file looks like.
How to protect your infrastructure from Rhysida ransomware?
As with any other cybersecurity attack, there are common best practices that should be followed to mitigate the risks and stay safe. We will list some of them and show you, based on our expertise, how backup and disaster recovery can keep your data safe.
Patch your systems. Your systems include anything from the physical layer (for example, Dell PowerEdge, Cisco switch, or EMC storage) to the operating system (Windows, Linux, MAC) and application layer (Chrome, Acrobat Reader, etc). You should ensure that your systems are fully patched with the latest updates and security fixes.
Implement strong passwords and enable MFA (Multi-Factor Authentication). You should enforce strong password policies with a minimum of 10 characters, including lowercase letters, capital letters, special characters, and numbers. In addition to that, you should enforce account lockout, password history, password length, and others.
It is not enough to have a strong 20-character password. You should enable MFA and ask users to perform additional authentication using their phones (e.g. SMS, token, USB)
Implement network monitoring. Network monitoring helps you to be proactive and detect any potential issues that might occur in your infrastructure.
Anti-malware software and solutions. Your operating system and infrastructure should be protected with anti-malware solutions, firewalls, IDS, IPS, and others. If you are running Windows 10, we have written an article to help you add an extra layer of ransomware protection. You can read more here An Extra Layer of Ransomware Protection for Windows 10.
Educate your employees. We mentioned that Rhysida is mostly distributed via phishing methods. In practice, you receive a phishing email, click on a link, and get infected. To prevent cybersecurity threats effectively, it’s essential to ensure that employees or end users receive regular and ongoing security training. Security is a shared responsibility. It starts with IT teams and extends to end users. Non-educated users are a threat to any organization.
Implement backup and disaster recovery. This is where our extensive expertise comes into play. Backup and disaster recovery are indeed crucial methods that help you to back up and protect your data and workloads, including Windows, Linux, VMware, Hyper-V, and others. Let’s start a new chapter to explore this topic.
How BDRSuite can help you against Rhysida Ransomware?
BDRsuite is our flagship product that helps protect your data by backing it up to safe on-premise and cloud locations. Firstly, we recommend you do a 3-2-1 backup strategy. The 3-2-1 backup strategy recommends having (3) copies of your data, stored on at least (2) different forms of media, with at least (1) copy stored offsite. You can read more here: Use 3-2-1 Backup Strategy to Recover from Ransomware.
The same scenario can be applied if you are affected by Rhysida or any other ransomware. We have covered similar thoughts about Annabelle and Bad Rabbit Ransomware, and you can read more about it here The Annabelle Ransomware and Bad Rabbit Ransomware.
BDRsuite helps you to back up your workload from different operating systems and applications. As shown in the screenshot below you can do it from VMWare, Hyper-V, Windows, Linux, AWS, Azure, and others. Data are backed up and encrypted.
However, even with backups, there’s a risk of them getting infected. That’s true.
Nonetheless, BDRsuite also plans effectively in enabling you to create immutable backups. These backups ensure that the backed-up data remains unaltered (unchanged) and protected from ransomware and other malicious threats. Practically speaking, if Rhysida ransomware attempts to encrypt the data and change its encryption, it wouldn’t be successful.
You can read a detailed overview of immutable backup in our blog article Immutable Backups – A Lifeline Against Ransomware.
Now, we encourage you to download BDRsuite and test it out in your environment. You can back up your workloads and protect them against Rhysida or any other ransomware. You can download it here Download BDRSuite & Get Started Now – BDRSuite and install it on your Windows or Linux machine.
In case of any questions, feel free to drop us a message at vembu-support@vembu.com.
Wrap up
Ransomware is one of the most popular types of malware nowadays, and its goal is to encrypt your data and ask for payment in order to provide the decryption key. One of the latest ransomware, Rhysida ransomware, was created by the Rhysida group and has started infecting many organizations.
It is mostly spread via phishing. Once you execute it, it scans your files and encrypts them by changing the extension to .rhysida. It also generates a PDF file and provides you with instructions on how to contact the hacker group to obtain the decryption key.
There are different ways to protect your infrastructure, and one of the crucial methods is implementing proper backup and recovery strategies. We can assist you in backing up your data and ensuring they remain unaltered, thereby disabling Rhysida ransomware from making changes and encrypting it. This article provides a brief overview of it.
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.
