Rhysida

Rhysida is a financially motivated ransomware group active since at least May 2023 that operates as a Ransomware-as-a-Service platform. Reporting in the provided content describes Rhysida as notable for extorting healthcare organizations and other critical infrastructure, with healthcare, education, and government also cited among affected sectors. Most victims referenced in one IBM X-Force analysis were in the United States. The group has been linked to incidents affecting healthcare organizations and public-sector entities, including claims around Prospect Medical Holdings, Cookeville Regional Medical Center, Columbus city systems, and an airport attack referenced in the content. The content links Rhysida to several upstream criminal service providers and tooling ecosystems. Multiple reports state that the initial access broker Woodgnat, also known as KongTuke, has sold or enabled access for ransomware groups including Rhysida, alongside Qilin, Interlock, Akira, 8Base, and Black Basta. Woodgnat has used compromised WordPress sites, ClickFix/FileFix/CrashFix lures, and Microsoft Teams helpdesk impersonation to obtain access. Rhysida operators have also been associated with use of SYSTEMBC, which Kroll says is favored by Rhysida operators and was deployed after access in at least one healthcare intrusion. Intel 471 also lists Rhysida among groups observed exploiting AnyDesk. The provided content highlights strong links between Rhysida and Interlock. IBM X-Force reported that both groups used the Supper backdoor, also known as SocksShell or WINDYTWIST, and found code and behavioral similarities across Supper, InterlockRAT, NodeSnake, JunkFiction, and ModeloRAT. Both groups were described as relying on trojanized software installers, fake Microsoft Teams download pages, traffic distribution systems, and ClickFix-style lures for initial access and payload delivery. IBM also noted post-compromise use of tools such as AZcopy, Advanced Port Scanner, and credential stealers. Another source in the content states the exact relationship between Interlock and Rhysida is unknown, while Cisco Talos previously assessed with low confidence that Interlock may have emerged from Rhysida operators or developers. Additional reporting in the content discusses a possible rebrand from Vice Society to Rhysida, but this is presented as analysis of a possible rebrand rather than a confirmed fact. The content also references Rhysida in broader ransomware ecosystem reporting, including use of traffic distribution services such as TAG-124 and mention in Microsoft reporting on Fox Tempest-enabled malware-signing activity.