SentinelOne Demo: SentinelOne VS Rhysida Ransomware – Detection and Remediation

In this video demo, we showcase how SentinelOne’s XDR technology detects and responds to Rhysida ransomware.The Rhysida ransomware group was first observed in May of 2023, following the emergence of its victim support chat portal hosted via TOR (.onion). The group sees itself as a “cybersecurity team” doing their victims a favor: they target victim systems and highlight the “potential ramifications” of the involved security issues. The group threatens victims with public distribution of the exfiltrated data, bringing it in line with modern-day ‘multi-extortion’ groups.

Analyzed samples of Rhysida ransomware indicate the group is in the early stages of the development cycle. Its payloads are missing many commodity features synonymous with present-day ransomware (ex; VSS removal). Its background image replacement functions also appear to malfunction.

Victims are instructed to contact the attackers via their TOR-based portal, utilizing Rhysida’s unique identifier (provided in the ransom notes). Rhysida accepts payment only in BTC (Bitcoin), also providing information on the purchase and use of BTC in the victim portal. Once victims enter their unique ID into the payment portal, the group provides them with an additional form to enter authentication, contact details, and other information.

Rhysida ransom notes are written as PDF documents to affected folders on targeted drives.