Jump to content

virus Rhysida


Recommended Posts

Does ESET detected the virus Rhysida? In Slovenia, one energy company was a victim of the Rhysida virus. And I was wondering if ESET detects and disables it (so that we ESET users are safe from it)?

Link to comment
Share on other sites

Although the TrendMicro notes Rhysida ransomware attack vectors, an article by Checkpoint explains them better;


Lateral Movement

The attackers used a variety of tools to perform lateral movement, including:

  • Remote Desktop Protocol – Throughout the intrusion, the threat actor initiated RDP connections, and took additional steps to deliberately remove associated logs and registry entries to harden detection and analysis efforts (as described in the Defense Evasion section). RDP remains an effective approach to performing lateral movement within the environment.
  • Remote PowerShell Sessions (WinRM) – While connected remotely via RDP, the threat actor was observed initiating remote PowerShell connections to servers within the environment. This happened in the days before the ransomware payload was deployed.
  • PsExec – The ransomware payload itself was deployed using PsExec from a server within the environment. The deployment happened in two phases.
    • Copying the malicious payload using the command PsExec.exe -d \\VICTIM_MACHINE -u "DOMAIN\ADMIN" -p "Password" -s cmd /c COPY "\\path_to_ransomware\payload.exe" "C:\windows\temp".
    • Executing the malicious payload using the command PsExec.exe -d \\VICTIM_MACHINE -u "DOMAIN\ADMIN"" -p "Password" -s cmd /c c:\windows\temp\payload.exe.


The primary attack method was via RDP; something that really shouldn't be used in corporate environments these days.

Also, PSExec use should also not be deployed and its execution blocked or monitored.

Edited by itman
Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...