Damjan 8 Posted November 27, 2023 Share Posted November 27, 2023 Does ESET detected the virus Rhysida? In Slovenia, one energy company was a victim of the Rhysida virus. And I was wondering if ESET detects and disables it (so that we ESET users are safe from it)? Link to comment Share on other sites More sharing options...
itman 1,667 Posted November 27, 2023 Share Posted November 27, 2023 Based on the IOC's linked in the TrendMicro analysis of the malware here: https://www.trendmicro.com/en_vn/research/23/h/an-overview-of-the-new-rhysida-ransomware.html , Eset detects existing known variants of it. Link to comment Share on other sites More sharing options...
itman 1,667 Posted November 28, 2023 Share Posted November 28, 2023 (edited) Although the TrendMicro notes Rhysida ransomware attack vectors, an article by Checkpoint explains them better; Quote Lateral Movement The attackers used a variety of tools to perform lateral movement, including: Remote Desktop Protocol – Throughout the intrusion, the threat actor initiated RDP connections, and took additional steps to deliberately remove associated logs and registry entries to harden detection and analysis efforts (as described in the Defense Evasion section). RDP remains an effective approach to performing lateral movement within the environment. Remote PowerShell Sessions (WinRM) – While connected remotely via RDP, the threat actor was observed initiating remote PowerShell connections to servers within the environment. This happened in the days before the ransomware payload was deployed. PsExec – The ransomware payload itself was deployed using PsExec from a server within the environment. The deployment happened in two phases. Copying the malicious payload using the command PsExec.exe -d \\VICTIM_MACHINE -u "DOMAIN\ADMIN" -p "Password" -s cmd /c COPY "\\path_to_ransomware\payload.exe" "C:\windows\temp". Executing the malicious payload using the command PsExec.exe -d \\VICTIM_MACHINE -u "DOMAIN\ADMIN"" -p "Password" -s cmd /c c:\windows\temp\payload.exe. https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/ The primary attack method was via RDP; something that really shouldn't be used in corporate environments these days. Also, PSExec use should also not be deployed and its execution blocked or monitored. Edited November 28, 2023 by itman Link to comment Share on other sites More sharing options...
Recommended Posts