Rhysida ransomware group opsec

June 6, 2023    Article    292 words    2 mins read

I was debating whether I should publish this, Allah knows I hate to give tips to the feds and Interpol, but I noticed someone on Twitter already figured it out, so why not. Here we go!

There is a new-ish (since May 2023) ransomware group called Rhysida and they leaked some stuff from various companies and the French territorial colectivity of Martinique (why Martinique). All good for now, except they made a simple mistake, they forgot to disable (or it’s enabled on purpose, hello honeypot) the Apache server status page. I can’t remember whether the status page is enabled or disabled by default (and I CBA to check the manual, I’m cranky today) because we pros are way past the goth Apache phase and we’re converting packets straight into Morse code now.

Here is the pesky page, in all its glory.

Apache Server Status for rhysidafohrhyy2aszi7bm32tnjat5xri65fopcxkdfxhi4tidsg7cad.onion (via 5.255.106.[x])

Server Version: Apache/2.4.41 (Ubuntu)
Server MPM: prefork
Server Built: 2023-03-08T17:32:54

Current Time: Tuesday, 06-Jun-2023 01:47:49 CEST
Restart Time: Friday, 19-May-2023 00:46:57 CEST
Parent Server Config. Generation: 19
Parent Server MPM Generation: 18
Server uptime: 18 days 1 hour 51 seconds
Server load: 0.00 0.00 0.00
Total accesses: 395761 - Total Traffic: 2.2 GB - Total Duration: 626758
CPU Usage: u31.55 s73.38 cu158.2 cs66.21 - .0211% CPU load
.254 requests/sec - 1548 B/second - 6.0 kB/request - 1.58368 ms/request
1 requests currently being processed, 9 idle workers

And the pesky Apache server status page kinda exposes the real IP of the server (5.255.106.[x]) and the real port (57381), but at least they’re firewall-blocking connections from Clearnet.

ASN	AS60404 - Liteserver
Company: The Infrastructure Group B.V., Netherlands

Come on people, we can do better than this, right? What would the real Phineas Fisher say?