The Emergence of Rhysida and DarkRace: Two New Ransomware Threats

At least ten victims are listed in roughly a week of existence

Ransomware attacks have been on the rise in recent years, and two new groups have emerged in May 2023: Rhysida and DarkRace. These sophisticated ransomware groups have already targeted several organizations across Europe, encrypting victims’ data and demanding ransom payments.

Photo by Jon Moore

Rhysida Ransomware Targets Education and Manufacturing Sectors

Rhysida first appeared in late May 2023 and has attacked at least four known victims, according to posts on their dark web blog. Targets include:

  • The Territorial Collectivity of Martinique, a French territorial collectivity. Rhysida has leaked all stolen files on their news blog.
  • The Thomas Hardye School, a secondary school in Dorset, UK. Again, Rhysida has published 100% of stolen documents.
  • Amstutz Produkte AG, a Swiss chemical manufacturer. All stolen documents have been published online.
  • Haemokinesis, an Italian biomedical research and development company. All the files are available to download on cyber criminals’ darknet server.

The group positions themselves as a “cybersecurity team” who are doing their victims a favor by targeting their systems and highlighting the supposed potential ramifications of the involved security issues.

To carry out their attacks, Rhysida uses advanced techniques like social engineering and exploit kits to gain access to victims’ systems. Once inside, they deploy strong encryption to lock down data and demand ransom payments in exchange for the decryption key.

DarkRace Uses “.1352FF327” extension

DarkRace is another ransomware group that emerged in late May 2023. It works by encrypting files on infected systems and leaving ransom notes with instructions for paying a ransom to recover the files. In comparison to many ransomware gangs that use unanimous extensions to encrypt files, like Rhysida – “.rhysida”, DarkRace stands apart. This malware encrypts files and appends its extension to filenames “.1352FF327”, the text file containing a ransom note looks like “Readme.1352FF327.txt”.

At the moment of writing this article, the group has targeted at least six known victims, according to their darknet blog:

  • Rzepecki Mroczkowski Sp. Z o.o., an Polish automotive company. DarkRace has listed this company in the darknet blog on June 5, 2023.
  • hep global GmbH, a German solar energy company. According to the DarkRace dark web site the company has been breached on June 4, 2023.
  • PLURISERVICE Spa, an Italian technology solutions provider. The blog post dates June 3, 2023.
  • PESSI, a Pakistani health insurance company. The news have been shared on June 3, 2023.
  • CO.NA.TE.CO., an Italian shipping container company. DarkRace posted news about the attack on June 2, 2023.
  • ERT, a Portuguese automotive parts manufacturer. The first victim’s data shared on May 30, 2023.

DarkRace is known to be distributed through infected email attachments (macros), torrent websites, malicious ads among other methods.

Defending Against Rhysida, DarkRace, and Other Ransomware Threats

To protect against ransomware attacks like those carried out by Rhysida and DarkRace, organizations should implement a multi-layered cybersecurity strategy:

  • Implement strong access controls and two-factor authentication to limit unauthorized access.
  • Regularly back up critical data in case it becomes encrypted. Offline backups are best.
  • Train employees on how to identify and avoid phishing emails, malicious links, and other social engineering techniques frequently used to deploy ransomware.
  • Keep all software and systems up to date with the latest patches. Outdated systems are more vulnerable to exploits.
  • Use advanced endpoint detection and response (EDR) tools to monitor for suspicious activity and respond quickly to potential threats.
  • Restrict administrative privileges to only trusted users. Admin accounts are high-value targets.
  • Consider using a reputable anti-ransomware tool to detect and block ransomware activity.
  • Develop and practice an incident response plan in case of an attack. Have a plan to isolate infected systems, restore data from backups, and work with law enforcement if needed.

Stay up-to-date on the latest ransomware threats, techniques, and best practices. Ransomware groups are constantly evolving their methods.

By making a comprehensive approach to security a priority, organizations can reduce the risk of becoming victims of ransomware attacks. But they must remain vigilant, as new groups like Rhysida and DarkRace emerge to threaten businesses and critical infrastructure. With strong defenses and proactive security strategies in place, the impact of any attack can at least be minimized.

If you liked this article, we advise you to read our previous article about the rise of AI malware. Follow us on Twitter and LinkedIn for more content.

Stay up to date with exposed information online. Kaduu with its cyber threat intelligence service offers an affordable insight into the darknet, social media and deep web.