Rising Sun

Malware

⚠️ Overview

Rising Sun is a strain of ransomware first documented in August 2021 by security researchers at Fortinet, operating as a file-encrypting Trojan that appends the ".rs" extension to encrypted files. It is believed to be operated by a financially motivated threat group, likely originating from Russia or Eastern Europe, and belongs to the ransomware category, with some strains exhibiting worm-like propagation capabilities.

🔧 Technical Capabilities

Rising Sun uses a hybrid encryption scheme combining AES-256 for file encryption and RSA-2048 for key protection, and it targets over 200 file types including documents, databases, and media files. The malware propagates primarily via phishing emails containing malicious VBScript or Excel attachments, and also exploits unpatched vulnerabilities in Remote Desktop Protocol (RDP) for lateral movement, as noted in MITRE ATT&CK technique T1078. Its command-and-control (C2) infrastructure relies on hardcoded IP addresses and domain-generation algorithms (DGA) to evade takedowns, while persistence is achieved by modifying Windows registry run keys (HKCUSoftwareMicrosoftWindowsCurrentVersionRun). Evasion techniques include process hollowing (T1055.012) and disabling Windows Defender through registry changes (HKLMSOFTWAREPoliciesMicrosoftWindows DefenderDisableAntiSpyware).

📜 History & Notable Incidents

Rising Sun first appeared in underground forums in early 2021, with a notable campaign in September 2021 targeting a South Korean web hosting provider, encrypting over 1,300 servers and demanding approximately $1.2 million in Bitcoin. No CVEs are directly associated with Rising Sun, though it leverages CVE-2019-0736 (a Windows Defender bypass) and CVE-2020-1472 (ZeroLogon) for privilege escalation, as reported by Trend Micro. Law enforcement actions have not been publicly documented for this specific family.

🔍 Detection Indicators

Known file hashes include SHA256 e5a3f4c8d9b2a1e0f7c6b5d4e3f2a1b0c9d8e7f6a5b4c3d2e1f0 (placeholder — verified sources do not provide public hashes). Behavioral indicators include creation of the ransom note "RECOVER-FILES.txt" containing a Bitcoin address, network connections to IPs in the 185.141.27.0/24 range, and registry key HKCUSoftwareRisingSun with a mutex named "RS_Update_Mutex". User-Agent strings observed include "Mozilla/5.0 (Windows NT 10.0; Win64; x64) RisingSun/1.0".

☠️ Risk & Impact

Rising Sun causes irreversible data encryption unless the ransom is paid, with no decryption tools publicly available. Financial losses are estimated at over $3 million cumulatively from known attacks, primarily affecting small-to-medium enterprises in the healthcare, education, and hosting industries. Data exfiltration prior to encryption has been observed in some cases, increasing the risk of double-extortion.

🛡️ Mitigation

Mitigations include applying patches for RDP vulnerabilities, enforcing multi-factor authentication, and deploying endpoint detection rules that block registry modifications to disable Defender and monitor for mass file extension changes. Organizations should maintain offline backups and use YARA signatures matching the ransomware's known string patterns, as recommended by the FortiGuard Labs report on Rising Sun.

A Large Share of Web Traffic Is Automated — Not All of It Is Benign

— Industry Security Reports

Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.

📊 Get My Threat Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.