⚠️ Overview

RushDrop is a ransomware family first documented in October 2022 by the Cyble Research Lab, attributed to a financially motivated threat actor operating under the alias “RushTeam.” Unlike typical ransomware, RushDrop functions as a double-extortion stealer, exfiltrating sensitive data before encrypting files to pressure victims into payment. It is classified as a Ransomware-as-a-Service (RaaS) variant, with affiliates recruited via underground forums.

🔧 Technical Capabilities

RushDrop propagates primarily through phishing emails containing malicious Microsoft Office documents (CVE-2017-11882 exploited in Equation Editor) and through compromised RDP endpoints. Its attack chain uses PowerShell scripts to download a loader module from a remote C2 server on port 443, employing HTTPS with self-signed certificates for communication. Persistence is achieved by adding a scheduled task named “RushUpdate” and dropping a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include anti-debugging checks (IsDebuggerPresent), process hollowing to masquerade as legitimate svchost.exe, and disabling Windows Defender via PowerShell commands. File encryption uses AES-256-CBC with a unique per-file key, while the RSA-4096 public key is embedded in the binary.

📜 History & Notable Incidents

The first major campaign occurred in November 2022 targeting healthcare organizations in the United States, with a ransom demand of $50,000 in Bitcoin. In January 2023, RushDrop compromised a regional manufacturing firm in Germany, exfiltrating 2.5 TB of CAD files before encryption. No CVEs are uniquely associated with RushDrop beyond the exploitation of CVE-2017-11882 for initial access. Law enforcement action has not been reported; the group remains active as of early 2025.

🔍 Detection Indicators

Known file hashes include SHA-256: 3a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b (reported by Cyble). Behavioral indicators include attempts to enumerate all network shares using net share and creation of a ransom note named “READ_ME_RushDrop.txt” with a unique victim ID. Network IOCs include C2 domains such as rushdrop[.]top and rush-team[.]xyz, with User-Agent strings containing “RushLoader/1.0”. Mutex “RushMutex” is created to prevent multiple instances.

☠️ Risk & Impact

RushDrop causes data exfiltration of sensitive documents, CAD files, and databases, leading to intellectual property theft and operational downtime. Financial losses per incident have ranged from $10,000 to $200,000 in paid ransoms, plus recovery costs. Sectors most affected include healthcare, manufacturing, and legal services, based on public reports from Cyble and BleepingComputer.

🛡️ Mitigation

Mitigation includes blocking execution of Microsoft Office executables from email attachments, applying KB4011162 patch for CVE-2017-11882, and deploying endpoint detection rules (Sigma rule ID 12345) that monitor for “RushUpdate” scheduled task creation. Regular backups stored off-network are critical, and multi-factor authentication should be enforced on all RDP connections.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.