October 24, 2023 at 04:26PM
The emerging ransomware strain called Rhysida, operating since May, is targeting users of Brazil’s PIX payment system. Rhysida, which functions as a ransomware-as-a-service (RaaS), has a unique self-deletion mechanism and is compatible with pre-Windows 10 versions of Microsoft. It faced initial configuration challenges but quickly adapted. Alongside Rhysida, there is a complimentary malware-as-a-service (MaaS) infostealer called Lumar, which can steal various types of data from users, including passwords and cryptographic wallets. Lumar is efficient and offers user-friendly features such as statistics and data logs.
The meeting notes discuss an emerging ransomware strain called Rhysida and a new stealer malware called Lumar. Rhysida is a ransomware-as-a-service (RaaS) operation that is capable of evolving quickly. It is unique in its self-deletion mechanism and compatibility with pre-Windows 10 versions of Microsoft. Rhysida is written in C++ and compiled with MinGW and shared libraries, showcasing sophistication in its design. The group behind Rhysida faced initial configuration challenges with its onion server, indicating rapid adaptation and learning.
The ransomware campaign targeting Brazil’s popular PIX payment system has been ongoing since December 2022. Rhysida was deployed alongside Lumar, a malware-as-a-service (MaaS) infostealer. Lumar, which emerged in July 2023, can steal data on Telegram sessions, passwords, cookies, autofill information, desktop files, and cryptographic wallets. The Kaspersky team notes that Lumar is compact but still highly functional. It uses three separate threads for efficient data collection. The malware author hosts the command and control (C2) server as a MaaS, providing user-friendly features such as statistics and data logs. Users can download the latest version of Lumar and receive Telegram notifications for incoming data.