New SharpRhino Malware Being Used By Ransomware Gangs to Attack IT Workers
The Hunters International ransomware group, believed to be a rebranding of the Hive ransomware group due to code similarities, is targeting IT workers with their new malware, SharpRhino. This C# remote access trojan (RAT) enables attackers to infiltrate systems, escalate privileges, execute PowerShell commands, and ultimately deploy ransomware payloads. SharpRhino is distributed via a typo-squatting site that impersonates the legitimate Angry IP Scanner website, a tool frequently used by IT professionals (BleepingComputer) (Cyber Security News) (Help Net Security).
If you need immediate assistance, call our 24-hour number at 1-877-662-6624 to reach a live engineer. He will get the process started for you or e-mail restore@alvaka.net.
Technical Details
SharpRhino is delivered as a digitally signed 32-bit installer (ipscan-3.9.1-setup.exe), containing a self-extracting password-protected 7z archive with files necessary for infection. Once executed, the malware performs several actions to establish persistence and control over the infected system:
- Registry Modification: It modifies the Windows registry to ensure persistence by launching Microsoft.AnyKey.exe, a legitimate Microsoft Visual Studio binary repurposed for malicious use (Cyber Security News) (Help Net Security).
- PowerShell Execution: The malware drops LogUpdate.bat, which executes PowerShell scripts that compile C# code into memory, facilitating stealthy execution without leaving traces on disk (BleepingComputer) (Cyber Security News).
- Command and Control (C2): SharpRhino creates two directories (C:\ProgramData\Microsoft: WindowsUpdater24 and LogUpdateWindows) for C2 communication. The malware contains hardcoded commands such as delay, which sets the timer for the next POST request, and exit, which terminates communication (BleepingComputer) (Cyber Security News).
Impact
Hunters International has already targeted several high-profile organizations, including Austal USA, Hoya, Integris Health, and the Fred Hutch Cancer Center. These attacks demonstrate the group’s focus on critical sectors and organizations with high ethical standards. In 2024 alone, they have claimed responsibility for 134 ransomware attacks globally, excluding the Commonwealth of Independent States (CIS), making them the tenth most active ransomware group (BleepingComputer) (Help Net Security).
Mitigation Strategies
To mitigate the risk posed by SharpRhino and similar ransomware attacks, organizations should consider the following proactive measures:
- Awareness and Education: Train employees, especially IT staff, to recognize phishing attempts and the risks of downloading software from unofficial sources. Encourage the use of ad blockers to reduce exposure to malicious ads (Cyber Security News) (Help Net Security).
- Secure Backups: Implement a robust backup strategy, ensuring backups are stored offline or in a secure cloud environment to prevent them from being encrypted during an attack (BleepingComputer).
- Network Segmentation: Segment the network to limit the spread of malware within the organization and protect critical systems from lateral movement (Cyber Security News).
- Regular Updates and Patches: Keep all software up to date with the latest security patches to minimize vulnerabilities that could be exploited by attackers (BleepingComputer) (Help Net Security).
- Security Monitoring: Utilize advanced threat detection tools to monitor network traffic and detect anomalous activities indicative of a malware infection (Cyber Security News) (Help Net Security).
By implementing these strategies, organizations can strengthen their defenses against sophisticated ransomware threats like SharpRhino and minimize potential damage.
For further details on the technical aspects and mitigation strategies for SharpRhino, refer to sources such as BleepingComputer and Help Net Security.
If you need immediate assistance, call our 24-hour number at 1-877-662-6624 to reach a live engineer. He will get the process started for you or e-mail restore@alvaka.net.
Alvaka is available 24×7 to assist you with any of your cybersecurity needs. Fill out the form on this page or call us at (949)428-5000!
Smoke testing is a term used to describe the testing process for servers after patches are applied. 
Estimating an average time for patching servers and PCs can be a bit tricky. It can vary from one month to the next, depending upon the number and complexity of the patches released by your software vendors. You must consider all versions of operating systems and have a complete inventory of all your application software to do this job correctly. Our experience has shown that manual patching of systems takes on average of about 1.5 hours each.
This is a basic cost calculator for you to compute your typical monthly cost for patching your servers, PCs, laptops, tablets and associated application software. It also forms the basis for you to begin calculating your Return on Investment for software patching, or for comparison with alternatives to the manual process of patching operating systems and application software—such as Patch Management as a Service, also known as Vulnerability Management as a Service.
