How Recorded Future finds ransomware victims before they get hit

Threat intelligence specialist Recorded Future has revealed details of how it is now able to find – and alert – future victims of the Rhysida ransomware gang before it has a chance to deploy its ransomware locker.

Rhysida, perhaps most famous in the UK for the late-2023 attack on the British Library, has been active since around January 2023 and operates a standard double extortion, ransomware-as-a-service operation. It operates in diverse sectors, although it seems to have favoured targeting education and healthcare organisations.

Now, a new early detection technique developed at Recorded Future may prove to be a potential game-changer in the fight against ransomware, said the organisation’s internal Insikt Group research team.

“Insikt Group identified that Rhysida victims could be detected on average 30 days before appearing on public extortion sites. Monitoring Rhysida’s infrastructure…made this detection possible,” they wrote.

“The average dwell time between initial infection and ransomware deployment offers defenders a critical window to respond. By identifying network communications and other indicators of compromise [IoCs] early, security teams can act swiftly to neutralise threats before the attackers can encrypt data or issue ransom demands.”

Anatomy of a Rhysida attack

Rhysida uses a multi-tiered infrastructure to facilitate its attacks – creating typosquatting domains enhanced with SEO poisoning techniques to trick targets into visiting a payload server hosting a backdoor malware known as CleanUpLoader.

A particularly versatile backdoor, CleanUpLoader most usually delivered as a fake installer for a legitimate piece of software – Google Chrome and Microsoft Teams being highly favoured in this regard because they are so widely used that more people will be likely to click on them.

Once operational on the target system, CleanUpLoader serves to facilitate persistence – with multiple command-and-control (C2) domains included in its configuration it can rapidly failover to another should one go offline or be compromised – and buys Rhysida time to exfiltrate their target’s data.

The gang also operates a higher-tier management infrastructure comprising an admin panel, likely used to run CleanUpLoader’s C2 operation. Rhysida’s operatives log into this panel on their endpoints just as if they were a normal employee logging into an online work tool. This panel has typically been linked to a specific domain – the Insikt Group has found several of these used at various times.

The management tier also includes an open source Zabbix server that connects to the admin panel. This is likely used for infrastructure monitoring, and its default language is unsurprisingly but notably set to Russian.

Dwell times

All of this activity takes place during the period between when Rhysida gains initial access to its target environment and when it executes its ransomware. So it is by taking advantage of the dwell time needed to run these various tasks to monitor for and pick up the traffic flowing from the C2 infrastructure that the Insikt Group has been able to get out in front of the gang.

“Of the 11 victims listed by Rhysida on its extortion site in July 2024, seven – over 60% –  showed early signs of infection through beaconing to CleanUpLoader C2 servers,” wrote the Insikt Group team.

“On average, more than 30 days elapsed between the first beaconing from these victim organisations to CleanUpLoader C2 servers and the day they appeared on the extortion site.”

The team said they have also been able to detect traffic from a wide range of other organisations to and from the CleanUpLoader C2 infrastructure, enabling them to make a reasonably well-informed assessment that those organisations may shortly appear on Rhysida’s extortion site.

“This early detection method can in theory be applied to any ransomware group and its victims, provided its infrastructure can be detected and then combined with Recorded Future Network Intelligence. Achieving this depends on two key factors: timeliness and the breadth of detected malicious infrastructure,” said the team.

“Since ransomware groups frequently use a mix of commercially available and custom tools, and continuously switch and evolve them, it is essential to swiftly identify the range of these tools by monitoring the threat landscape and developing and maintaining effective detections.

“Additionally, timeliness is crucial, and our insights into higher-tier infrastructure are vital as they enable us to quickly detect and identify emerging infrastructure, complementing traditional hunting methods.”

Leave a Comment