Analytics Story: Rhysida Ransomware

Updated Date: 2026-05-13 ID: 0925ee49-1185-4484-94ac-7867764a9183 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Utilize analytics designed to identify and delve into atypical behaviors, potentially associated with the Rhysida Ransomware. Employing these searches enables the detection of irregular patterns or actions within systems or networks, serving as proactive measures to spot potential indicators of compromise or ongoing threats. By implementing these search strategies, security analysts can effectively pinpoint anomalous activities, such as unusual file modifications, deviations in system behavior, that could potentially signify the presence or attempt of Rhysida Ransomware infiltration. These searches serve as pivotal tools in the arsenal against such threats, aiding in swift detection, investigation, and mitigation efforts to counter the impact of the Rhysida Ransomware or similar malicious entities.

Why it matters

This story addresses Rhysida ransomware. Rhysida Ransomware emerges as a silent predator, infiltrating systems stealthily and unleashing havoc upon its victims. Employing sophisticated encryption tactics, it swiftly locks critical files and databases, holding them hostage behind an impenetrable digital veil. The haunting demand for ransom sends shockwaves through affected organizations, rendering operations inert and plunging them into a tumultuous struggle between compliance and resilience. Threat actors leveraging Rhysida ransomware are known to impact "targets of opportunity," including victims in the education, healthcare, manufacturing, information technology, and government sectors. Open source reporting details similarities between Vice Society activity and the actors observed deploying Rhysida ransomware. Additionally, open source reporting has confirmed observed instances of Rhysida actors operating in a ransomware-as-a-service (RaaS) capacity, where ransomware tools and infrastructure are leased out in a profit-sharing model. Any ransoms paid are then split between the group and the affiliates.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Windows Suspicious Process File Path	Match Legitimate Resource Name or Location, Create or Modify System Process	TTP
Common Ransomware Extensions	Data Destruction	TTP
Deleting Shadow Copies	Inhibit System Recovery	TTP
Windows Sensitive Group Discovery With Net	Domain Groups	Anomaly
Detect Renamed PSExec	Service Execution	Hunting
SecretDumps Offline NTDS Dumping Tool	NTDS	TTP
Suspicious wevtutil Usage	Clear Windows Event Logs	TTP
Ntdsutil Export NTDS	NTDS	TTP
NLTest Domain Trust Discovery	Domain Trust Discovery	TTP
Windows PowerView Unconstrained Delegation Discovery	Remote System Discovery	TTP
Windows PowerView AD Access Control List Enumeration	Permission Groups Discovery, Domain Accounts	TTP
Windows PUA Named Pipe	SMB/Windows Admin Shares, Process Injection, Inter-Process Communication	Anomaly
Detect PsExec With accepteula Flag	SMB/Windows Admin Shares	TTP
Windows Modify Registry NoChangingWallPaper	Modify Registry	TTP
Windows Rundll32 Apply User Settings Changes	Rundll32	Anomaly
Executables Or Script Creation In Temp Path	Masquerading	Anomaly
Malicious Powershell Executed As A Service	Service Execution	TTP
Spike in File Writes	None	Anomaly
Windows PowerView SPN Discovery	Kerberoasting	TTP
PowerShell 4104 Hunting	PowerShell	Hunting
Modification Of Wallpaper	Defacement	TTP
Common Ransomware Notes	Data Destruction	Hunting
Executables Or Script Creation In Suspicious Path	Masquerading	Anomaly
Scheduled Task Deleted Or Created via CMD	Scheduled Task	Anomaly
Detect Rare Executables	User Execution	Anomaly
Ransomware Notes bulk creation	Data Encrypted for Impact	Anomaly
Windows PowerView Constrained Delegation Discovery	Remote System Discovery	TTP
Windows Excessive Usage Of Net App	Account Access Removal	Anomaly
WinRM Spawning a Process	Exploit Public-Facing Application	TTP
CMD Carry Out String Command Parameter	Windows Command Shell	Hunting
Windows Cmdline Tool Execution From Non-Shell Process	JavaScript	Anomaly
Windows Eventlog Cleared Via Wevtutil	Clear Windows Event Logs	Anomaly
Domain Controller Discovery with Nltest	Remote System Discovery	TTP
Windows Group Discovery Via Net	Local Groups, Domain Groups	Hunting
SAM Database File Access Attempt	Security Account Manager	Hunting
Windows PowerView Kerberos Service Ticket Request	Kerberoasting	TTP
High Process Termination Frequency	Data Encrypted for Impact	Anomaly
Disable Logs Using WevtUtil	Clear Windows Event Logs	TTP
Detect Zerologon via Zeek	Exploit Public-Facing Application	TTP
System User Discovery With Whoami	System Owner/User Discovery	Hunting

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
CrowdStrike ProcessRollup2	Other	`crowdstrike:events:sensor`	`crowdstrike`
Sysmon EventID 1	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4688	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Sysmon EventID 11	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Powershell Script Block Logging 4104	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-PowerShell/Operational`
Sysmon EventID 17	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 18	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 13	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log System 7045	Windows	`XmlWinEventLog`	`XmlWinEventLog:System`
Windows Event Log Security 4663	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Sysmon EventID 5	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`

References

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a

Source: GitHub | Version: 2