Discovery Enum
- PowerView
Rhysida is a ransomware family and ransomware-as-a-service operation that emerged in 2023 and has been used in double-extortion attacks against organizations worldwide.
Profile source: Mallory opens in a new tabRhysida
Rhysida is a ransomware family and ransomware-as-a-service operation that emerged in 2023 and has been used in double-extortion attacks against organizations worldwide. The malware encrypts victim systems while operators or affiliates also steal data and threaten to leak or sell it to increase pressure for payment. Rhysida has been associated with attacks affecting healthcare, education, government, manufacturing, information technology, and other critical sectors, with multiple high-profile incidents involving operational disruption and exposure of sensitive personal or organizational data.
Rhysida intrusions have been linked to opportunistic targeting as well as affiliate-driven campaigns. Reported initial access methods include phishing and compromise of external remote access services, including VPN access obtained with stolen or valid credentials. Public reporting also associates Rhysida activity with exploitation of exposed services and, in some cases, use of known vulnerabilities such as Zerologon in broader attack chains. Deployment has been observed via Cobalt Strike or similar post-exploitation frameworks, and some reporting links the ecosystem around Rhysida to signed malware delivery chains that abuse fraudulent code-signing services to reduce security friction.
On execution, Rhysida traverses files on local systems and drops PDF ransom notes instructing victims to contact the operators through a Tor-based portal using a unique identifier. The operation commonly demands cryptocurrency and follows a multi-extortion model in which stolen data is advertised, auctioned, or leaked if negotiations fail. Rhysida has been described as an emerging but tactically diverse ransomware threat, and some analyses note similarities or possible lineage connections with Vice Society or related affiliate activity. The exact identity of the operators remains unconfirmed, although the operation is widely treated as a financially motivated criminal enterprise rather than a state-directed campaign.
Ransomware.live
Ransomware.live
f6e5f0ed974c89e2b4a47989fc987c796742fdde9d5fde37ac5a9c9cbb1f691f7cfba113342f78b5909f606c26fc1dc46dd8c26f64df37d0c7645b63c9bba51f0cf5491278c7d87e8c3fc88c7f9f26ffd86383882515b7a9218d5f69924feadf3225b95fc72f238ab1e53bfabc11b551ddaa09b5c3bf5aa24e300c24905469f25f3ecd02a94cec2b62bfecd79f5a1d981888ecf4e90f02ecaaefdb3624825fa2Reported operators
The Rhysida and Interlock groups, which are known to attack healthcare and other critical infrastructure, have similar TTPs and encryption binaries, leading to some speculation of a connection between the two groups.
Vice Society was observed deploying INC ransomware against the health care industry; this group has a long-standing habit of cycling through third-party payloads such as BlackCat, Rhysida, Hello Kitty, Zeppelin, and Quantum Locker.
US government agencies released an advisory note on Rhysida last week, stating that the “emerging ransomware variant” had been deployed against the education, manufacturing, IT and government sectors since May.
Associated malware includes Rhysida ransomware, Lumma Stealer, Vidar infostealer, and the Oyster (Broomstick) backdoor.
Associated malware includes Rhysida ransomware, Lumma Stealer, Vidar infostealer, and the Oyster (Broomstick) backdoor.
Associated malware includes Rhysida ransomware, Lumma Stealer, Vidar infostealer, and the Oyster (Broomstick) backdoor.
Rhysida is a cybercriminal group that first surfaced in May 2023. Its ransomware can steal data and lock down targeted systems. It then demands a ransom both for deleting stolen data and for a key to restore infected devices. Rhysida operates a ransomware-as-a-service business in which affiliates pay Rhysida to use its malware and infrastructure to launch attacks and collect ransoms.
OysterLoader, also tracked as Broomstick and CleanUp, is a multi-stage loader malware written in C++ and actively leveraged in campaigns linked to the Rhysida ransomware group.
Scattered Spider... aka possibly sometimes BlackCatALPHV or Rhysida... Rhysida (New in Top Variants).
"...the same threat actor deploying Rhysida ransomware against two different organizations..."
X-Force links the group to malware developers/operators such as Broomstick, Supper, PortStarter, SystemBC, and Rhysida ransomware...
Exploited software
MITRE ATT&CK
Reporting
The findings make CylindricalCanine the latest addition to a list of threat actors, such as Black Basta, TamperedChef (aka EvilAI), and Rhysida, that are known to abuse code-signing certificates in their cyber operations.
Vice Society was observed deploying INC ransomware against the health care industry; this group has a long-standing habit of cycling through third-party payloads such as BlackCat, Rhysida, Hello Kitty, Zeppelin, and Quantum Locker.
Microsoft noted that the operation enabled the deployment of Rhysida ransomware by threat actors such as Vanilla Tempest...
This service facilitated the signing of malicious files, including Rhysida ransomware, Oyster, Lumma Stealer, and Vidar, helping them bypass security controls.
Associated malware includes Rhysida ransomware, Lumma Stealer, Vidar infostealer, and the Oyster (Broomstick) backdoor.
The service had been used to sign and distribute malware, including Rhysida ransomware, Oyster, Lumma Stealer, and Vidar, making malicious software appear legitimate and easier to deliver at scale.
The first office/team appears to have its own locker - Rhysida ransomware.
Rhysida, a highly evolved ransomware variant that both encrypts files and steals data, often used for double extortion, has been used by various actors in numerous high-profile attacks globally.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.