Rhysida Ransomware Attack Demo

0:00 Welcome to the Juniper Threat Labs Attack

0:02 Demo series.

0:03 For this demo, we will be talking about Rhysida

0:06 ransomware.

0:07 This video will demonstrate how this ransomware

0:09 group works.

0:10 Afterwards, we'll show you how Juniper Networks

0:13 customers can be protected.

0:15 In May 2023, MalwareHunterTeam tweeted about

0:19 a new ransomware gang named Rhysida.

0:21 At that time, the gang does not claim any

0:24 infected organization.

0:25 However, shortly thereafter, Rhysida ransomware

0:29 gang claimed to have infected the Caribbean island

0:31 of Martinique

0:32 In a notice, the council that runs Martinique

0:35 said a cyber-attack heavily disrupted the activities of the

0:39 community and directly impacted users and partners.

0:43 This incident marked the initial episode of

0:46 several organizations that Rhysida claimed to have infected.

0:49 Not long after that, they claimed to have

0:52 infected a school in Illinois and then the Chilean Army.

0:55 Subsequently, they targeted additional institutions,

1:00 including universities, hospitals, healthcare organizations, and even government entities.

1:06 One of their latest hack involves the claim

1:08 of infecting Insomniac Games.

1:10 They have issued a threat to leak 1.67 terabytes

1:14 of data unless Insomnia Games complies with their

1:17 ransom demand.

1:18 Usually when ransomware groups breach systems,

1:22 they employ a tactic known as double extortion.

1:24 This involves demanding a ransom payment to

1:27 decrypt victim data, coupled with a threat to release or

1:30 auction the stolen data unless the ransom is paid.

1:33 Typically, they create a leak site hosted

1:35 on TOR networks, using TOR for anonymity, making it

1:39 challenging to trace the origin of the traffic on their leak site.

1:42 They publish a list of organizations they

1:44 claim to have infected, and currently the claim extends to 71

1:49 organizations.

1:50 Furthermore, they post samples of stolen data

1:52 as a proof of their successful hack.

1:54 Their most recent claim at the time this video

1:57 is created involves a university.

1:59 The university is issued an ultimatum, which

2:01 in this case is less than six days left to pay a ransom of

2:05 eight bitcoins.

2:06 For those willing to comply, they provide

2:08 convenient links to Coinbase and Binance, facilitating the

2:11 purchase of the required bitcoins at the current exchange rate.

2:15 With one Bitcoin valued at 42,908 U.S.

2:18 dollars, the ransom demanded from the university

2:22 totals 343,264 U.S.

2:24 dollars.

2:26 These recent attacks prompted both CISA and

2:30 the FBI to issue advisories on Rhysida ransomware.

2:33 In CISA's Stop Ransomware Cybersecurity Advisory,

2:36 they highlighted that receipt of ransomware is

2:38 known for targeting various sectors opportunistically, including education, healthcare, manufacturing,

2:44 information technology and government.

2:47 The advisory also provides technical insights

2:52 such as Rhysida initial access methods, specifically its

2:55 utilization of remote services like VPNs to access networks.

3:00 Additionally, they exploit vulnerabilities

3:02 like Zerologon to elevate privileges and engage in phishing

3:06 attacks.

3:07 Once inside a network, Rhysida employs living

3:10 off the land techniques to navigate and conduct its

3:13 operations.

3:14 Among the tools in their arsenal are PowerShell,

3:17 PS Exec, RDP, Putty, Port Starter, SecretsDump, NTDS,

3:23 Util, AnyDesk, Windows Event utility Tool, and PowerView.

3:28 Notably, the ransomware appends .rhysida extension

3:34 to all the files it encrypts.

3:37 Now, let's walk through how the ransomware

3:41 infection works.

3:42 In this demonstration, we'll be using Kali

3:45 Linux to host our malware.

3:47 Using PowerShell, we'll download and execute

3:50 the ransomware on our target system running Windows.

3:57 Once the command is executed, we'll launch

4:04 a process monitor to gain visibility into what is

4:06 happening in the background.

4:11 As observed, powershell.exe instantiates and within a few seconds it

4:15 spawns a new process named Rhysida.exe.

4:17 Notably, Rhysida.exe is running with high

4:21 CPU usage as it has started encrypting files on the system.

4:28 Specifically, files within the Python folder

4:36 have already been encrypted and now appended with

4:39 .rhysida extension.

4:41 The ransomware has also dropped a PDF file,

4:46 CriticalBreachDetected.pdf serving as the ransom note.

4:51 Upon opening the PDF file, it reveals the

4:56 secret key necessary for inputting on their leak site.

5:04 Once it completes encrypting all files, the

5:12 ransomware modifies the desktop screen to display the

5:15 ransom note.

5:21 Visibly, our desktop files are encrypted and

5:29 opening them shows that they contain gibberish data.

5:32 Let's now look and see whether or not this

5:34 attack works as successfully with a Juniper SRX firewall

5:38 enhanced with protection from Juniper's cloud based advanced anti malware solution, Juniper

5:43 ATP.

5:44 For the demo, Juniper Threat Labs is using

5:46 the following setup.

5:48 We have a VSRX pictured in the center.

5:51 The VSRX is a virtual SRX firewall providing

5:55 network security protection.

5:57 Its purpose is to inspect network traffic

5:59 and to detect malware with the assistance of Juniper ATP

6:03 Cloud.

6:04 In addition to the virtual firewall and cloud

6:06 based protections, we are using Juniper Security Director

6:11 which is a centralized management system.

6:14 It is used to facilitate our configuring and

6:17 monitoring of the VSRX firewall and we are using Juniper's

6:21 Policy Enforcer as well.

6:23 Policy Enforcer is a user intent based tool

6:26 that automates threat management, policy updates and

6:29 distribution across Juniper and 3rd party network devices.

6:32 It helps automate threat remediation and micro

6:35 segmentation of policies across the network.

6:38 We also have several Windows workstations,

6:40 each of which is connected to the VSRX.

6:42 Finally, we have an Ubuntu server acting as

6:46 the malware download server where we host our

6:49 ransomware.

6:50 Before we proceed and attempt to simulate

6:51 this attack with Juniper Connected Security Solutions in

6:54 place providing protection, let's first take a look at the threat prevention policy that

7:00 we've set up on our Security Director and applied to the VSRX.

7:04 To access the policy, we'll navigate to the

7:08 Configure tab and then we select Threat Prevention and

7:12 Policies.

7:13 As you can see, we already have an existing

7:16 policy in place.

7:18 Let's further inspect the protections being

7:20 enforced by the applied policy.

7:22 For this demo, our policies are configured

7:25 to block command and control traffic at threat level 8 and

7:28 above.

7:29 We've also set it up to block infected hosts

7:32 at threat level 8 and above.

7:34 Additionally, we've configured our policy

7:37 to use ATP Cloud from malware detection and as you can

7:42 see, we've elected to scan HTTP Downloads and block threats at level 7 and above.

7:48 This threat prevention policy implied to the

7:51 VSRX firewall is a critical component of our defenses,

7:56 protecting our systems against malware related attacks.

7:59 It allows us to detect and block malicious

8:01 traffic as well as the activity of potentially infected hosts,

8:05 which will then prevent the spread of malware throughout our network in the event that one

8:09 of our systems gets compromised.

8:11 With that, let's proceed with the attack using

8:15 Juniper Connected Security.

8:16 To get started, we'll connect to our target

8:19 system and open the command prompt where we will

8:22 execute the PowerShell attack.

8:24 We will also open Wireshark to have a visibility

8:27 of the network traffic.

8:37 After launching our attack, we look at http://downloads

8:49 from Wireshark.

8:50 Notice that there is a GET request for Rhysida.exe.

8:54 However, further inspection of the TCP stream

8:59 reveals that the request returned, This request has

9:02 been blocked due to possible malware detection .

9:05 We can verify that by navigating the download

9:13 directory

9:25 and we can see that we cannot execute the file Rhysida.exe as it is not a valid executable

9:30 file.

9:31 This shows that the SRX was able to successfully

9:34 block the malware.

9:36 We can verify this in the Security Director

9:38 by navigating to Monitor > Threat Prevention and >HTTP

9:42 File Download.

9:44 Here, the file Rhysida.exe is flagged with

9:51 a threat level of 10.

9:52 According to our policy we configured earlier,

9:56 threats with threat level 7 and above will be blocked.

10:00 We can find more details about this file when

10:02 we clicked on it, such as the URL and the host where this

10:05 malicious activity was detected.

10:08 We can also see more information such as behavior

10:11 analysis, network activity, and behavior details, as

10:26 well as the MITRE attack matrix.

10:28 It's crucial to emphasize that Juniper ATP

10:31 determines the threat level of a file through machine

10:34 learning utilizing the gathered information.

10:36 This means it doesn't rely on specific signatures,

10:41 providing a dynamic and adaptive approach to

10:43 identifying potential threats.

10:44 Note that while the attack was unsuccessful,

10:47 recall that the security policy being enforced on the VSRX

10:51 locks host network activity when it detects threats at level 8 and above.

10:55 When we clicked on ATP cloud hosts, we can

10:58 see that the IP 10.0.1.40 is flagged at threat level 9.

11:03 This threat level score is determined by multiple

11:06 factors such as malicious activities by that host

11:09 including malware downloads and command and control connections.

11:12 This host then is now included in the infected

11:15 hosts feed.

11:16 What this means is that this host is now isolated

11:20 and disconnected from the network temporarily.

11:23 As it shows here, we do not have Internet

11:27 connection as we visit a couple of websites.

11:33 Clicking at this host provides us with more

11:37 details on why it is blocked, which in this case the host

11:41 attempted to download a malicious files with threat level 10.

11:45 Once the admin is sure that the host or server

11:48 is indeed free from infection, she can first select the

11:51 host and then under the Investigation Status section, she can select Resolved Fixed , which

11:56 changes the status of this host to clean

12:04 and exclude this host from the infected host's feed.

12:10 After a few moments, this host will be connected

12:13 back to the network again.

12:15 We can verify that on the host by browsing

12:17 the net.

12:23 That completes our demo of Rhysida ransomware.

12:30 Check out more videos from the Juniper Threat

12:33 Labs attack demo series by visiting juniper.net.

12:35 Thanks for watching.