Rhysida Ransomware analysis - A painful sting to Insomniac Games — ShadowStackRE
Common Information
Type Value
UUID 4dfbd58a-47dd-41f4-ac10-0cbe688b16ef
Fingerprint 9c3cdd3034698619
Analysis status DONE
Considered CTI value 0
Text language
Published Dec. 13, 2024, midnight
Added to db Aug. 31, 2024, 10:57 a.m.
Last updated Dec. 11, 2024, 10:04 a.m.
Headline Rhysida Ransomware
Title Rhysida Ransomware analysis - A painful sting to Insomniac Games — ShadowStackRE
Detected Hints/Tags/Attributes 52/1/17
RSS Feed
Attributes
Details Type #Events CTI Value
Details Domain 158
cisa.gov
Details Domain 4283
github.com
Details Domain 10
shadowstackre.com
Details Domain 19
opensource.org
Details File 2196
cmd.exe
Details File 98
wevtutil.exe
Details File 357
vssadmin.exe
Details File 146
thumbs.db
Details File 1044
rundll32.exe
Details File 299
user32.dll
Details File 19
criticalbreachdetected.pdf
Details Github username 3
libtom
Details sha256 1
b55ecbddcbed916481ad537807cd3e33cb71814be6ce8e03eb63b629ccb8c692
Details Url 1
https://github.com/libtom/libtommath
Details Url 10
https://opensource.org/license/mit
Details Windows Registry Key 1
HKCU\Contol
Details Yara rule 1
rule RhysidaRansomware {
	meta:
		description = "rule to detect Rhysida Ransomware"
		author = "ShadowStackRe.com"
		date = "2023-12-12"
		Rule_Version = "v1"
		malware_type = "ransomware"
		malware_family = "Rhysida"
		License = "MIT License, https://opensource.org/license/mit/"
	strings:
		$strShadowCopy = " vssadmin.exe Delete Shadows"
		$strRhsyida01 = "Rhysida-0.1"
		$strRhysida = "rhysida"
		$strRegKey1 = "cmd.exe /c reg delete \"HKCU\\Contol Panel\\Desktop"
		$strRegKey2 = "Policies\\ActiveDesktop\" /v NoChangingWallPaper"
		$strRunDll32 = "rundll32.exe user32.dll,UpdatePerUserSystemParameters"
		$strPDF = "CriticalBreachDetected.pdf"
	condition:
		all of them
}