The Rhysida ransomware group has added the China Energy Engineering Corporation (CEEC) to the list of victims on its Tor leak site
The CEEC is one of the largest state-owned companies in China that operates in the energy and infrastructure sectors.
CEEC actively participates in developing and constructing a diverse range of energy projects, encompassing coal, hydropower, nuclear, and renewable energy initiatives.
The ransomware group claims to have stolen a substantial trove of ‘impressive data’ and is auctioning it for 50 BTC. The ransomware operators plan to sell the stolen data to a single buyer. The gang will publicly release the data over seven days following the announcement.
Recently, the Rhysida ransomware gang added the British Library to the list of victims on its Tor leak site.
Last week, FBI and CISA published a joint Cybersecurity Advisory (CSA) to warn of Rhysida ransomware attacks. The advisory is part of the ongoing #StopRansomware effort, disseminating information about TTPs and indicators of compromise (IOCs) associated with ransomware groups.
The Rhysida ransomware group has been active since May 2023. According to the gang’s Tor leak site, at least 62 companies are victims of the operation.
The ransomware gang hit organizations in multiple industries, including the education, healthcare, manufacturing, information technology, and government sectors. The victims of the group are “targets of opportunity.”
Rhysida actors leverage external-facing remote services (e.g. VPNs, RDPs) to gain initial access to the target network and maintain persistence. The group relied on compromised credentials to authenticate to internal VPN access points. According to the advisory, the threat actors have exploited Zerologon (CVE-2020-1472) in Microsoft’s Netlogon Remote Protocol in phishing attempts.
The group relies on living off-the-land techniques such as native network administration tools to perform malicious operations.
Indicators of Compromise
- 5.39.222[.]67
- 5.255.99[.]59
- 51.77.102[.]106
- 108.62.118[.]136
- 108.62.141[.]161
- 146.70.104[.]249
- 156.96.62[.]58
- 157.154.194[.]6
- Sock5.sh
- 48f559e00c472d9ffe3965ab92c6d298f8fb3a3f0d6d203cd2069bfca4bf3a57
- PsExec64.exe
- edfae1a69522f87b12c6dac3225d930e4848832e3c551ee1e7d31736bf4525ef
- PsExec.exe
- 078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b
- PsGetsid64.exe
- 201d8e77ccc2575d910d47042a986480b1da28cf0033e7ee726ad9d45ccf4daa
- PsGetsid.exe
- a48ac157609888471bf8578fb8b2aef6b0068f7e0742fccf2e0e288b0b2cfdfb
- PsInfo64.exe
- de73b73eeb156f877de61f4a6975d06759292ed69f31aaf06c9811f3311e03e7
- PsInfo.exe
- 951b1b5fd5cb13cde159cebc7c60465587e2061363d1d8847ab78b6c4fba7501
- PsLoggedon64.exe
- fdadb6e15c52c41a31e3c22659dd490d5b616e017d1b1aa6070008ce09ed27ea
- PsLoggedon.exe
- d689cb1dbd2e4c06cd15e51a6871c406c595790ddcdcd7dc8d0401c7183720ef
- PsService64.exe
- 554f523914cdbaed8b17527170502199c185bd69a41c81102c50dbb0e5e5a78d
- PsService.exe
- d3a816fe5d545a80e4639b34b90d92d1039eb71ef59e6e81b3c0e043a45b751c
- Eula.txt
- 8329bcbadc7f81539a4969ca13f0be5b8eb7652b912324a1926fc9bfb6ec005a
- psfile64.exe
- be922312978a53c92a49fefd2c9f9cc098767b36f0e4d2e829d24725df65bc21
- psfile.exe
- 4243dc8b991f5f8b3c0f233ca2110a1e03a1d716c3f51e88faf1d59b8242d329
- pskill64.exe
- 7ba47558c99e18c2c6449be804b5e765c48d3a70ceaa04c1e0fae67ff1d7178d
- pskill.exe
- 5ef168f83b55d2cbd2426afc5e6fa8161270fa6a2a312831332dc472c95dfa42
- pslist64.exe
- d3247f03dcd7b9335344ebba76a0b92370f32f1cb0e480c734da52db2bd8df60
- pslist.exe
- ed05f5d462767b3986583188000143f0eb24f7d89605523a28950e72e6b9039a
- psloglist64.exe
- 5e55b4caf47a248a10abd009617684e969dbe5c448d087ee8178262aaab68636
- psloglist.exe
- dcdb9bd39b6014434190a9949dedf633726fdb470e95cc47cdaa47c1964b969f
- pspasswd64.exe
- 8d950068f46a04e77ad6637c680cccf5d703a1828fbd6bdca513268af4f2170f
- pspasswd.exe
- 6ed5d50cf9d07db73eaa92c5405f6b1bf670028c602c605dfa7d4fcb80ef0801
- psping64.exe
- d1f718d219930e57794bdadf9dda61406294b0759038cef282f7544b44b92285
- psping.exe
- 355b4a82313074999bd8fa1332b1ed00034e63bd2a0d0367e2622f35d75cf140
- psshutdown64.exe
- 4226738489c2a67852d51dbf96574f33e44e509bc265b950d495da79bb457400
- psshutdown.exe
- 13fd3ad690c73cf0ad26c6716d4e9d1581b47c22fb7518b1d3bf9cfb8f9e9123
- pssuspend64.exe
- 4bf8fbb7db583e1aacbf36c5f740d012c8321f221066cc68107031bd8b6bc1ee
- pssuspend.exe
- 95a922e178075fb771066db4ab1bd70c7016f794709d514ab1c7f11500f016cd
- PSTools.zip
- a9ca77dfe03ce15004157727bb43ba66f00ceb215362c9b3d199f000edaa8d61
- Pstools.chm
- 2813b6c07d17d25670163e0f66453b42d2f157bf2e42007806ebc6bb9d114acc
- psversion.txt
- 8e43d1ddbd5c129055528a93f1e3fab0ecdf73a8a7ba9713dc4c3e216d7e5db4
- psexesvc.exe
