CTI Roundup: Rhysida Ransomware Threatens the Healthcare Sector

In this week’s roundup, CTI highlights the recent surge in successful cloud account takeovers of high-ranking executives. Next up is an overview of Rhysida ransomware which is now threatening the healthcare sector. Also included is a look at the new instances of LOLKEK that were discovered in the wild and some of the latest changes to the ransomware family.

1. Cloud takeover campaign targets top-level executives with EvilProxy

New research from Proofpoint warns of a recent uptick in successful cloud account takeover incidents primarily impacting high-ranking executives. Threat actors are now using the EvilProxy phishing tool to steal multifactor authentication (MFA) protected credentials and session cookies.

What is EvilProxy?

EvilProxy is a reverse-proxy phishing-as-a-service platform that emerged in 2022. It claims to be able to steal authentication tokens to bypass MFA, enabling even low-skilled threat actors to steal online accounts.

The growing adoption of MFA has led to an increase in phishing kits and tools designed specifically to bypass this layer of security. Threat actors are increasingly leveraging adversary-in-the-middle (AitM) phishing kits like EvilProxy to steal credentials and session cookies in real time.

Key findings from Proofpoint’s report

Since early March, Proofpoint has been monitoring an ongoing hybrid campaign that uses EvilProxy to target Microsoft 365 users. The campaign’s speed is impressive, sending about 120,000 phishing emails to hundreds of targeted organizations worldwide between March and June 2023.

The threat actors used several noteworthy techniques including:

• Brand impersonation: Sender email addresses in this campaign impersonated trusted services like Concur Solutions, DocuSign, and Adobe.
• Scan blocking: The threat actors used protection against cybersecurity scanning bots, making it harder to analyze the malicious sites.
• Multi-step infection chain: The threat actors redirected traffic via open legitimate redirectors, including YouTube. This was followed by several additional steps like malicious cookies and 404 redirects.

Phase 1: EvilProxy in action

The threat actors initially impersonated known trusted services, using spoofed emails to send phishing emails containing links to malicious Microsoft 365 phishing sites.

The emails that pretended to be from DocuSign, Adobe Sign, and Concur contained malicious URLs that initiated a multi-step infection chain involving several redirections, malicious cookies, and 404 redirects guiding the user to an EvilProxy phishing framework. The landing page functions as a reverse proxy.

When analyzing some of the redirection pages in this campaign, Proofpoint identified a small but significant detail that set it apart in the first days of the attack. The clue was a small typo in the redirect string. Instead of transferring the user to an https page the threat actor mistakenly pointed to a “hhttps” address, leading to a failed redirection flow.

The threat actor leveraged special encoding to hide the user’s email from automatic scanning tools. It also leveraged legitimate sites that had previously been hacked to upload their PHP code and decode the user’s email address. After the email address is decoded, the user is forwarded to the final website which is a phishing page tailored specifically for the target organization.

Proofpoint also noticed an apparent alteration in the attack flow when accessing multiple phishing pages from specific geographies. User traffic originating from Turkish IP addresses was directed to the legitimate web page. If intentional, this could suggest that the threat actors behind the campaign are based in Turkey or are avoiding targeting Turkish users.

Phase 2: Account compromise

The list of users included many high-value targets, such as C-level executives and VPs at leading companies.

Once a targeted user provides their credentials via the phishing page, the threat actors log into their Microsoft 365 account within seconds, indicating an automated process.

Not all users that fell for the phishing lure were accessed by the threat actors. In this campaign, the attackers prioritized only VIP targets and ignored those of lesser value.

Of the campaign’s hundreds of compromised users, about 39% were C-level executives. Of these, 17% were CFOs, and 9% were presidents and CEOs. The threat actors also showed an interest in lower-level management.

Phase 3: post-compromise exploitation

After accessing the accounts, the threat actors established persistence within the cloud environment. In multiple instances, the threat actors leveraged a native Microsoft 365 application to execute MFA manipulation.

Using My Sign-Ins, the threat actors could add their own MFA method for persistence. The preferred authentication method for these threat actors was an authentication app with notification and code.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“This campaign is highly targeted towards management, executives, and other ‘VIP’ type roles. The threat actors seem to go out of their way to avoid and ignore any gathered credentials not belonging to these high-level executives.”

“Of course, the threat actors may be selling these other credentials or engaging in nefarious activities. But for this campaign, they seem to be uninterested. This targeting varies from many of the opportunistic phishing campaigns that seek to target any individual in an organization and anyone willing to input their credentials into a phishing page.”

2. An overview of the new Rhysida ransomware targeting the healthcare sector

Trend Micro’s latest report focuses on Rhysida, a type of ransomware actively targeting the healthcare sector. The news comes just a few days after the HHS Health Sector Cybersecurity Coordination Center (HC3) released a security alert about the new ransomware strain.

Rhysida poses as a cybersecurity team and offers to assist victims in identifying network weaknesses. It was previously known for targeting the education, government, manufacturing, and tech industries but has since attacked healthcare and public health organizations.

This shift aligns with the increasing number of ransomware attacks the healthcare industry has been experiencing over the past few years. The operation targets organizations worldwide, including Indonesia, Germany, and the U.S.

Rhysida’s attack chain

Rhysida ransomware typically arrives on the victim’s machine via phishing lures before leveraging Cobalt Strike for lateral movement.

Trend Micro observed the threat actors executing PsExec to deploy PowerShell scripts and the Rhysida ransomware payload. A PowerShell script terminates any AV-related processes and services, deletes shadow copies, modifies RDP configurations, and changes the AD password.

The ransomware uses a 4096-bit RSA key and AES-CTR for file encryption. After successful encryption, it appends .rhysida to the files and drops the ransom note titled CriticalBreachDetected.pdf.

The ransom note is rather unusual, presenting itself as an alert from the Rhysida cybersecurity team and notifying victims of the breach.

Rhysida’s encryption routine

Rhysida ransomware uses the open-source library LibTomCrypt to implement its encryption routine. LibTomCrypt’s pseudorandom number generator (PRNG) is used for key and initialization vector generation.

After initializing the PRNG, Rhysida imports the embedded RSA key and declares the algorithm it will use for file encryption. It will then proceed to register and declare AES for its cipher hash construction functionalities.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“Currently there is limited knowledge about who operates Rhysida ransomware. Interestingly, this threat group poses as a cybersecurity team and offers to help victims find security weaknesses. The group’s first appearance had a support chat portal for victims, furthering their affinity to come off as if they are doing these victims a favor.”

3. LOLKEK ransomware: new samples and evolving tactics

SentinelOne recently discovered new instances of LOLKEK — or GlobeImposter — in the wild and noted changes within the ransomware family. SentinelOne has shared its research into the new LOLKEK payloads, detailing new features and changes in strategy.

LOLKEK made its first appearance back in 2016. The GlobeImposter name at the time was a clever way to describe how the ransomware imitated the methods of Globe ransomware.

LOLKEK can be considered an off-the-shelf ransomware to some extent. It is frequently changed and used by those with limited skills and resources. In recent incidents, the requested ransoms were less than $2,000, which is quite low compared to those typically requested by groups like Cl0P and LockBit.

LOLKEK primarily targets small to medium-sized businesses (SMBs) and individual users. However, there have been instances where this ransomware played a role in more complex and calculated financial attacks.

Technical details

• SentinelOne researchers identified two new LOLKEK samples in the wild. These samples identified themselves as W3CRYPTO LOCKER and directed victims to a new Tor victim portal.
• Both new samples were compiled in May 2023, but only one appears fully functional. When the new LOLKEK payloads launch, they discover and encrypt any locally available drive, including mounted network shares in sequence.
• The payloads also contain exclusions from previous variants of this ransomware. They include the Windows, System Volume Information, and ProgramData folders. The payloads seemingly can discover and remove Volume Shadow Copies. However, this behavior was not seen when dynamically analyzing one of the samples. WMIC-formatted calls to remove VSS are found in the sample code. Encrypted files have the .MMM extension appended to them.
• Looking deeper into these encrypted files, researchers identified another marker linking them to previous LOLKEK/GlobeImposter variants. Encrypted files contained the same CRYPTO LOCKER string seen in prior versions.

Victim portal and notes

The LOLKEK ransom notes are named “ReadMe.txt” and are dropped to all locations containing encrypted files and data. The ransom notes are nearly identical to previous variants. The supplied .onion URIs contain a string at the end, unique to each execution of the ransomware.

Victims are instructed to navigate to the Tor victim portal, where they must create an account to engage in a private chat with the threat actor. The new portal is functionally identical to previous victim portals hosted by this ransomware operation.

The threat actor notes that small files can be decrypted for free as proof of functional decryption. When the victim creates a ticket within the portal, the ransom details are provided directly through the victim’s chat.

LOLKEK OPSEC misstep

The operators of this campaign have followed very similar steps, processes, and templates as their previous campaigns regarding the misconfiguration of Apache. The status page of the server is visible on the Tor victim page. Researchers determined that the server went live on May 23, 2023 — just a few days after the related samples were compiled.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“LOLKEK ransomware is quite fascinating, having survived since 2016 in this fast-changing threat landscape. Its operators are still working hard to explore new strategies and have proved their ability to stay relevant.”

“LOLKEK is a good reminder that while LockBit, Cl0p, and other big-name ransomware groups dominate the space, we must not overlook small but persistent operations.”

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.