Rhysida is a ransomware-as-a-service (RaaS) operation that has been targeting users of Brazil’s popular PIX payment system since December 2022. This emerging ransomware strain [2], which appeared in May this year [1], has the ability to quickly evolve and is distributed as Ransomware as a Service (RaaS).


Rhysida [1] [2], written in C++ and compiled using MinGW with shared libraries [1] [2], showcases sophistication in its design [2]. It achieves self-deletion by executing a PowerShell command and still supports Windows versions prior to Windows 10 [1]. Despite initial configuration challenges with its onion server [2], Rhysida has demonstrated rapid adaptation and learning [2]. Alongside Rhysida, a brand-new infostealer called Lumar has been deployed to target PIX users. Lumar is gaining popularity in underground communities and has capabilities such as capturing Telegram sessions [1], harvesting passwords and files [1], and extracting data from cryptographic wallets [1]. It is compact yet efficient in its data collection [2], facilitated by the use of three separate threads [2]. The C2 [2], hosted by the malware author as a malware-as-a-service (MaaS), provides user-friendly features such as statistics and data logs [2]. Users can download the latest version of Lumar and receive Telegram notifications for incoming data [2]. The PIX payment system in Brazil is being targeted by cybercriminals [1], including a malware campaign called GoPIX. GoPIX tricks users into downloading malware through malvertising and uses a fraud prevention solution to determine if the visitor is a real user or a bot [1]. It is a clipboard stealer malware that replaces PIX transactions with malicious ones and can also substitute Bitcoin and Ethereum wallet addresses [1]. Most infections are from Brazil [1].


The targeting of Brazil’s PIX payment system by cybercriminals through Rhysida and Lumar poses significant risks to users. The ability of Rhysida to evolve quickly and its sophisticated design make it a formidable threat. The popularity of Lumar in underground communities further highlights the need for heightened security measures. The deployment of GoPIX, with its ability to replace legitimate transactions and substitute wallet addresses, adds another layer of concern. Mitigating these threats requires a multi-faceted approach, including user education, robust security measures, and continuous monitoring. As cybercriminals continue to adapt and develop new tactics, it is crucial for organizations and individuals to stay vigilant and proactive in protecting their systems and data.


[1] https://www.443news.com/2023/10/kaspersky-crimeware-report-gopix-lumar-and-rhysida/
[2] https://www.darkreading.com/attacks-breaches/meet-rhysida-a-new-ransomware-strain-that-deletes-itself