Rhysida

Rhysida is a Ransomware-as-a-Service (RaaS) group that emerged in May 2023, known for double extortion attacks targeting sectors like healthcare and education, and has ties to the notorious Vice Society ransomware group.

Is Your Organization Safe from Rhysida Ransomware Attacks?

The Origin of Rhysida

Rhysida ransomware was first observed in May 2023 and has quickly established itself as a prominent Ransomware-as-a-Service (RaaS) group. Known for targeting critical sectors, Rhysida has been linked to attacks against major institutions like the Chilean Army and Prospect Medical Holdings, which impacted 17 hospitals and 166 clinics in the U.S. The group presents itself as a “cybersecurity team” while engaging in double extortion: encrypting data and threatening to leak it publicly unless a ransom is paid. There are growing links between Rhysida and the Vice Society ransomware group, as technical and operational similarities have been observed.

Their name, "Rhysida," is derived from a type of centipede, symbolizing their stealthy and multi-legged approach to cyber attacks.

Image source: CISA

Targets

Rhysida's Targets

Countries targeted by Rhysida

Active primarily in North America, Europe, and Australia, Rhysida has targeted organizations in countries such as the United States, Italy, Spain, and the United Kingdom. Their attacks have extended across various industries, reflecting their global reach.

Image source: SOCradar

Industries targeted by Rhysida

Rhysida primarily targets the education, healthcare, government, and manufacturing sectors, exploiting the vulnerabilities in critical institutions. These attacks have often led to operational disruptions and significant financial and data losses.

Image source: Trend Micro

Industries targeted by Rhysida

Rhysida primarily targets the education, healthcare, government, and manufacturing sectors, exploiting the vulnerabilities in critical institutions. These attacks have often led to operational disruptions and significant financial and data losses.

Image source: Trend Micro

Rhysida's Victims

In addition to attacking the Chilean Army, Rhysida has targeted the healthcare sector, including an attack on Prospect Medical Holdings. Additionally, they are responsible for breaching several educational institutions, including incidents involving the University of West Scotland.

Image source: Trend Micro

Attack Method

Rhysida's Attack Method

A shadowy figure casting a wide net over a digital landscape filled with various devices such as computers, smartphones, and tablets. The net symbolizes the attacker's attempts to find vulnerabilities or use phishing techniques to gain unauthorized access.

Rhysida actors gain access via compromised credentials or phishing, using external-facing services such as VPNs without multi-factor authentication (MFA)​. Exploits such as the Zerologon vulnerability (CVE-2020-1472) have also been used.

A digital ladder extending upwards from a basic user icon towards a crown symbolizing administrative privileges. This represents the attacker's efforts to gain higher-level access within the system.

The attackers escalate privileges using tools like ntdsutil.exe to extract domain credentials. They have been observed targeting the NTDS database for domain-wide password changes​.

A chameleon blending into a digital background, with zeroes and ones flowing around it. This represents the attacker's ability to avoid detection by security measures, changing tactics to blend in with normal network traffic.

Rhysida frequently uses PowerShell and PsExec to clear event logs and delete forensic artifacts, such as recently accessed files and folders, RDP logs, and PowerShell history.

A thief with a lockpick toolkit working on a giant keyhole shaped like a login form, representing the attacker's efforts to steal user credentials to gain unauthorized access.

The group employs credential dumping tools like secretsdump to extract credentials from compromised systems. These credentials allow the attackers to escalate privileges and further their control within the network​.

A magnifying glass moving over a digital map of a network, highlighting files, folders, and network connections. This image represents the phase where attackers explore the environment to understand the structure and where valuable data resides.

Rhysida operators use native tools like ipconfig, whoami, and net commands to conduct reconnaissance within the victim environment.

A series of interconnected nodes with a shadowy figure moving stealthily between them. This illustrates the attacker's movements within the network, seeking to gain control of additional systems or spread malware.

Remote services such as RDP and SSH via PuTTY are used for lateral movement. PsExec is frequently deployed for the final ransomware payload distribution​.

A large vacuum sucking up files, data icons, and folders into a bag held by a shadowy figure. This image symbolizes the process of gathering valuable data from the target network.

Before executing the ransomware payload, the attackers gather critical data, preparing it for encryption or exfiltration as part of their double extortion strategy.

A command prompt window open in front of a digital background, with malicious code being typed out. This represents the phase where attackers execute their malicious payload within the compromised system.

Rhysida's payload is deployed using PsExec, and data is encrypted using 4096-bit RSA and ChaCha20 encryption algorithms. The .rhysida extension is added to all encrypted files​.

A series of files being funneled through a covert channel out of a computer to a cloud labeled with a skull, symbolizing the unauthorized transfer of data to a location controlled by the attacker.

The group uses double extortion, exfiltrating sensitive data to threaten public disclosure if ransoms are not paid.

A cracked screen with a digital cityscape in chaos behind it, symbolizing the destructive impact of the cyberattack, such as service disruption, data destruction, or financial loss.

Rhysida’s operations typically culminate in severe disruptions, data encryption, and demands for Bitcoin payments, often amounting to millions.

A shadowy figure casting a wide net over a digital landscape filled with various devices such as computers, smartphones, and tablets. The net symbolizes the attacker's attempts to find vulnerabilities or use phishing techniques to gain unauthorized access.
Initial Access

Rhysida actors gain access via compromised credentials or phishing, using external-facing services such as VPNs without multi-factor authentication (MFA)​. Exploits such as the Zerologon vulnerability (CVE-2020-1472) have also been used.

A digital ladder extending upwards from a basic user icon towards a crown symbolizing administrative privileges. This represents the attacker's efforts to gain higher-level access within the system.
Privilege Escalation

The attackers escalate privileges using tools like ntdsutil.exe to extract domain credentials. They have been observed targeting the NTDS database for domain-wide password changes​.

A chameleon blending into a digital background, with zeroes and ones flowing around it. This represents the attacker's ability to avoid detection by security measures, changing tactics to blend in with normal network traffic.
Defense Evasion

Rhysida frequently uses PowerShell and PsExec to clear event logs and delete forensic artifacts, such as recently accessed files and folders, RDP logs, and PowerShell history.

A thief with a lockpick toolkit working on a giant keyhole shaped like a login form, representing the attacker's efforts to steal user credentials to gain unauthorized access.
Credential Access

The group employs credential dumping tools like secretsdump to extract credentials from compromised systems. These credentials allow the attackers to escalate privileges and further their control within the network​.

A magnifying glass moving over a digital map of a network, highlighting files, folders, and network connections. This image represents the phase where attackers explore the environment to understand the structure and where valuable data resides.
Discovery

Rhysida operators use native tools like ipconfig, whoami, and net commands to conduct reconnaissance within the victim environment.

A series of interconnected nodes with a shadowy figure moving stealthily between them. This illustrates the attacker's movements within the network, seeking to gain control of additional systems or spread malware.
Lateral Movement

Remote services such as RDP and SSH via PuTTY are used for lateral movement. PsExec is frequently deployed for the final ransomware payload distribution​.

A large vacuum sucking up files, data icons, and folders into a bag held by a shadowy figure. This image symbolizes the process of gathering valuable data from the target network.
Collection

Before executing the ransomware payload, the attackers gather critical data, preparing it for encryption or exfiltration as part of their double extortion strategy.

A command prompt window open in front of a digital background, with malicious code being typed out. This represents the phase where attackers execute their malicious payload within the compromised system.
Execution

Rhysida's payload is deployed using PsExec, and data is encrypted using 4096-bit RSA and ChaCha20 encryption algorithms. The .rhysida extension is added to all encrypted files​.

A series of files being funneled through a covert channel out of a computer to a cloud labeled with a skull, symbolizing the unauthorized transfer of data to a location controlled by the attacker.
Exfiltration

The group uses double extortion, exfiltrating sensitive data to threaten public disclosure if ransoms are not paid.

A cracked screen with a digital cityscape in chaos behind it, symbolizing the destructive impact of the cyberattack, such as service disruption, data destruction, or financial loss.
Impact

Rhysida’s operations typically culminate in severe disruptions, data encryption, and demands for Bitcoin payments, often amounting to millions.

MITRE ATT&CK Mapping

TTPs used by Rhysida

TA0001: Initial Access
T1566
Phishing
T1190
Exploit Public-Facing Application
TA0002: Execution
T1059
Command and Scripting Interpreter
TA0003: Persistence
No items found.
TA0004: Privilege Escalation
No items found.
TA0005: Defense Evasion
T1070
Indicator Removal
TA0006: Credential Access
T1528
Steal Application Access Token
T1003
OS Credential Dumping
TA0007: Discovery
No items found.
TA0008: Lateral Movement
T1021
Remote Services
TA0009: Collection
No items found.
TA0011: Command and Control
No items found.
TA0010: Exfiltration
No items found.
TA0040: Impact
T1657
Financial Theft
Platform Detections

How to Detect Rhysida with Vectra AI

List of the Detections available in the  Vectra AI Platform that would indicate a ransomware attack.

FAQs

What is Rhysida ransomware?

Rhysida is a Ransomware-as-a-Service group using double extortion to encrypt and exfiltrate data, targeting sectors like healthcare and education.

When did Rhysida first emerge?

The group was first observed in May 2023.

What industries does Rhysida target?

It primarily focuses on education, healthcare, manufacturing, government, and IT sectors.

What countries are affected by Rhysida?

The group has been most active in the U.S., U.K., Italy, and Spain.

How does Rhysida gain access to networks?

Rhysida actors gain access through phishing or exploiting vulnerabilities in external-facing services, often leveraging weak or stolen credentials.

What encryption methods does Rhysida use?

The group uses 4096-bit RSA and ChaCha20 encryption algorithms to lock victims' data.

Is there a link between Rhysida and Vice Society?

There are notable similarities between the TTPs of Rhysida and Vice Society, suggesting a possible operational overlap.

How can organizations protect against Rhysida?

Organizations should implement MFA, patch known vulnerabilities, and ensure robust backup and recovery systems.

How does Rhysida avoid detection?

The group uses techniques like clearing event logs, deleting artifacts, and hiding activity through PowerShell​.

What steps should be taken after a Rhysida attack?

Organizations should isolate affected systems, preserve forensic evidence, report the incident to law enforcement, and avoid paying the ransom if possible. Implementing robust security measures, such as NDR and network segmentation, is also recommended.