Skip to content
Ransomware group Windows

Rhysida

Rhysida is a ransomware family and ransomware-as-a-service operation that emerged in 2023 and has been used in double-extortion attacks against organizations worldwide.

Profile source: Mallory opens in a new tab

Rhysida

Family profile

Rhysida is a ransomware family and ransomware-as-a-service operation that emerged in 2023 and has been used in double-extortion attacks against organizations worldwide. The malware encrypts victim systems while operators or affiliates also steal data and threaten to leak or sell it to increase pressure for payment. Rhysida has been associated with attacks affecting healthcare, education, government, manufacturing, information technology, and other critical sectors, with multiple high-profile incidents involving operational disruption and exposure of sensitive personal or organizational data.

Rhysida intrusions have been linked to opportunistic targeting as well as affiliate-driven campaigns. Reported initial access methods include phishing and compromise of external remote access services, including VPN access obtained with stolen or valid credentials. Public reporting also associates Rhysida activity with exploitation of exposed services and, in some cases, use of known vulnerabilities such as Zerologon in broader attack chains. Deployment has been observed via Cobalt Strike or similar post-exploitation frameworks, and some reporting links the ecosystem around Rhysida to signed malware delivery chains that abuse fraudulent code-signing services to reduce security friction.

On execution, Rhysida traverses files on local systems and drops PDF ransom notes instructing victims to contact the operators through a Tor-based portal using a unique identifier. The operation commonly demands cryptocurrency and follows a multi-extortion model in which stolen data is advertised, auctioned, or leaked if negotiations fail. Rhysida has been described as an emerging but tactically diverse ransomware threat, and some analyses note similarities or possible lineage connections with Vice Society or related affiliate activity. The exact identity of the operators remains unconfirmed, although the operation is widely treated as a financially motivated criminal enterprise rather than a state-directed campaign.

Capabilities

  • Credential Theft
  • Defense Evasion
  • Exfiltration
  • Extortion
  • Initial Access
  • Post Exploitation

Ransomware.live

Operational record

View group record ↗

Discovery Enum

  • PowerView

Exfiltration

  • WinSCP

LOLBAS

  • NTDS Utility (ntdsutil)
  • PsExec
  • WMIC
  • Windows Event Utility (wevtutil)

Offsec

  • Impacket

RMM Tools

  • AnyDesk

Ransomware.live

Published indicators

Full source record ↗

Md5

28 total
  • f6e5f0ed974c89e2b4a47989fc987c79
  • 6742fdde9d5fde37ac5a9c9cbb1f691f
  • 7cfba113342f78b5909f606c26fc1dc4
  • 6dd8c26f64df37d0c7645b63c9bba51f
  • 0cf5491278c7d87e8c3fc88c7f9f26ff
  • d86383882515b7a9218d5f69924feadf
  • 3225b95fc72f238ab1e53bfabc11b551
  • ddaa09b5c3bf5aa24e300c24905469f2
  • 5f3ecd02a94cec2b62bfecd79f5a1d98
  • 1888ecf4e90f02ecaaefdb3624825fa2

Reported operators

Threat actors

11 named in public reporting
KongTuke

The Rhysida and Interlock groups, which are known to attack healthcare and other critical infrastructure, have similar TTPs and encryption binaries, leading to some speculation of a connection between the two groups.

Vanilla Tempest

Vice Society was observed deploying INC ransomware against the health care industry; this group has a long-standing habit of cycling through third-party payloads such as BlackCat, Rhysida, Hello Kitty, Zeppelin, and Quantum Locker.

Gold Victor

US government agencies released an advisory note on Rhysida last week, stating that the “emerging ransomware variant” had been deployed against the education, manufacturing, IT and government sectors since May.

Storm-0501

Associated malware includes Rhysida ransomware, Lumma Stealer, Vidar infostealer, and the Oyster (Broomstick) backdoor.

Storm-0249

Associated malware includes Rhysida ransomware, Lumma Stealer, Vidar infostealer, and the Oyster (Broomstick) backdoor.

Storm 2561

Associated malware includes Rhysida ransomware, Lumma Stealer, Vidar infostealer, and the Oyster (Broomstick) backdoor.

Rhysida

Rhysida is a cybercriminal group that first surfaced in May 2023. Its ransomware can steal data and lock down targeted systems. It then demands a ransom both for deleting stolen data and for a key to restore infected devices. Rhysida operates a ransomware-as-a-service business in which affiliates pay Rhysida to use its malware and infrastructure to launch attacks and collect ransoms.

WIZARD SPIDER

OysterLoader, also tracked as Broomstick and CleanUp, is a multi-stage loader malware written in C++ and actively leveraged in campaigns linked to the Rhysida ransomware group.

Scattered Spider

Scattered Spider... aka possibly sometimes BlackCatALPHV or Rhysida... Rhysida (New in Top Variants).

TAC5279

"...the same threat actor deploying Rhysida ransomware against two different organizations..."

Hive0163

X-Force links the group to malware developers/operators such as Broomstick, Supper, PortStarter, SystemBC, and Rhysida ransomware...

Exploited software

Vulnerabilities linked to Rhysida

1 CVEs

MITRE ATT&CK

Rhysida in ATT&CK

51 distinct techniques

Techniques

51 techniques
T1486 Data Encrypted for Impact T1553.002 Code Signing T1036 Masquerading T1587.001 Malware T1204 User Execution T1608.006 SEO Poisoning T1537 Transfer Data to Cloud Account T1583 Acquire Infrastructure T1567 Exfiltration Over Web Service T1041 Exfiltration Over C2 Channel T1074 Data Staged T1078 Valid Accounts T1210 Exploitation of Remote Services T1218 System Binary Proxy Execution T1133 External Remote Services T1657 Financial Theft T1190 Exploit Public-Facing Application T1566 Phishing T1068 Exploitation for Privilege Escalation T1048 Exfiltration Over Alternative Protocol T1553 Subvert Trust Controls T1189 Drive-by Compromise T1204.002 Malicious File T1105 Ingress Tool Transfer T1005 Data from Local System T1021.001 Remote Desktop Protocol T1491 Defacement T1489 Service Stop T1195.002 Compromise Software Supply Chain T1548.002 Abusing Elevation Control Mechanism: Bypass User Account Control T1059 Command and Scripting Interpreter T1129 Shared Modules T1547.001 Registry Run Keys / Startup Folder T1055 Process Injection T1055.003 Thread Execution Hijacking T1027 Obfuscated Files or Information T1497 Virtualization/Sandbox Evasion T1564 Hidden Artifacts T1564.004 NTFS File Attributes T1620 Reflective DLL Injection T1010 Application Window Discovery T1057 Process Discovery T1082 System Information Discovery T1083 File and Directory Discovery T1518.001 Security Software Discovery T1119 Automated Collection T1071 Application Layer Protocol T1071.001 Web Protocols T1587 Develop Capabilities T1595 Active Scanning T1598 Phishing for Information

Reporting

Research mentioning Rhysida

Jul 17
The Hacker News

GoldenEyeDog Subgroup Linked to DigiCert Breach and Code-Signing Certificate Theft

The findings make CylindricalCanine the latest addition to a list of threat actors, such as Black Basta, TamperedChef (aka EvilAI), and Rhysida, that are known to abuse code-signing certificates in their cyber operations.

Jun 17
Acronis

From emerging threat to top-tier ransomware-as-a-service: The evolution of INC ransomware

Vice Society was observed deploying INC ransomware against the health care industry; this group has a long-standing habit of cycling through third-party payloads such as BlackCat, Rhysida, Hello Kitty, Zeppelin, and Quantum Locker.

May 20
The Hacker News

Microsoft Takes Down Malware-Signing Service Behind Ransomware Attacks

Microsoft noted that the operation enabled the deployment of Rhysida ransomware by threat actors such as Vanilla Tempest...

May 20
Scworld

Microsoft disrupts Fox Tempest malware-signing service | brief | SC Media

This service facilitated the signing of malicious files, including Rhysida ransomware, Oyster, Lumma Stealer, and Vidar, helping them bypass security controls.

May 20
Cyber Security News

Fox Tempest Malware-Signing Service Abused Microsoft Artifact Signing to Certify Malware

Associated malware includes Rhysida ransomware, Lumma Stealer, Vidar infostealer, and the Oyster (Broomstick) backdoor.

May 19
Security Affairs

Microsoft dismantled Malware-signing network Fox Tempest

The service had been used to sign and distribute malware, including Rhysida ransomware, Oyster, Lumma Stealer, and Vidar, making malicious software appear legitimate and easier to deliver at scale.

May 19
Trellix

Analysis of Black Basta Ransomware Chat Leaks

The first office/team appears to have its own locker - Rhysida ransomware.

May 19
Microsoft On The Issues

Disrupting Fox Tempest: A cybercrime service that turned “verified” software into a pathway for ransomware - Microsoft On the Issues

Rhysida, a highly evolved ransomware variant that both encrypts files and steals data, often used for double extortion, has been used by various actors in numerous high-profile attacks globally.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.