Rhysida
Rhysida is a ransomware family and associated ransomware-as-a-service (RaaS) operation first identified in May 2023. It is described as an emerging ransomware variant that both encrypts files and steals data, enabling double extortion through demands for payment to restore systems and to prevent publication or sale of exfiltrated data. Multiple sources in the content state that affiliates use Rhysida malware and infrastructure in exchange for a share of ransom proceeds.
Observed targeting spans multiple sectors, with U.S. government reporting and other cited reporting linking Rhysida activity to education, healthcare, manufacturing, information technology, and government organizations. Mentioned victims and claimed victims include the British Library, Prospect Medical Holdings, Spindletop Center, MACT Health Board, Seattle-Tacoma International Airport, the Chilean Army, Martinique, and government institutions in Portugal, Chile, Kuwait, and the Dominican Republic. The content also notes repeated healthcare and critical infrastructure targeting.
Initial access and deployment methods directly mentioned in the content include phishing campaigns, compromise of organizations’ VPNs, exploitation of external-facing remote services, use of stolen valid credentials to access internal VPNs, and use of Cobalt Strike or similar frameworks. Reporting also states Rhysida has often used Zerologon (CVE-2020-1472) in attack chains. Talos assessed Rhysida as one of the ransomware groups with the broadest range of TTPs.
Behavior and tradecraft described in the content include file encryption, data theft, defacement of victim systems, traversal of files on local drives, and use of TOR-hosted victim communication portals. Rhysida ransom notes are described as PDF files, including notes titled "CriticalBreachDetected," containing a unique code and instructions to contact the operators through a TOR-based portal. The malware accepts Bitcoin payments, and the victim portal includes Bitcoin purchase guidance. One report notes some samples appeared to be in an early development stage and lacked some features common in other ransomware, such as Volume Shadow Copy Service removal.
The content repeatedly links Rhysida to the Vice Society/Gold Victor ecosystem. Secureworks assessed that Rhysida likely emerged from the older Gold Victor criminal operation, which operated the Vice Society ransomware scheme, and other reporting discusses a possible Vice Society-to-Rhysida rebrand. Rhysida is also associated in the content with threat actors including Vanilla Tempest, which has used Rhysida among several ransomware strains. Microsoft reporting further states that Fox Tempest’s malware-signing service enabled deployment of Rhysida, including by Vanilla Tempest, and that signed malware associated with this ecosystem included Oyster, Lumma Stealer, and Vidar.
Notable indicators and artifacts directly mentioned in the content include PDF ransom notes titled "CriticalBreachDetected," TOR/.onion negotiation portals, and Bitcoin-only ransom demands. In the British Library incident, Rhysida allegedly auctioned stolen data with a starting bid of 20 bitcoin and later published 573GB of data. Additional examples in the content cite ransom demands of 15 bitcoin and 8 bitcoin in healthcare incidents.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
An advisory note from the FBI and the US Cybersecurity and Information Structure Agency (CISA) last week said the malware, first identified in May 2023, is offered as ransomware as a service to criminal groups, which then share profits with the ransomware owners. | Criminals typically gain access to infected computer systems by using known vulnerabilities, such as ZeroLogon.
Groups observed using it
11 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The Rhysida and Interlock groups, which are known to attack healthcare and other critical infrastructure, have similar TTPs and encryption binaries, leading to some speculation of a connection between the two groups.
Vice Society was observed deploying INC ransomware against the health care industry; this group has a long-standing habit of cycling through third-party payloads such as BlackCat, Rhysida, Hello Kitty, Zeppelin, and Quantum Locker.
US government agencies released an advisory note on Rhysida last week, stating that the “emerging ransomware variant” had been deployed against the education, manufacturing, IT and government sectors since May.
Associated malware includes Rhysida ransomware, Lumma Stealer, Vidar infostealer, and the Oyster (Broomstick) backdoor.
Associated malware includes Rhysida ransomware, Lumma Stealer, Vidar infostealer, and the Oyster (Broomstick) backdoor.
Associated malware includes Rhysida ransomware, Lumma Stealer, Vidar infostealer, and the Oyster (Broomstick) backdoor.
Techniques & procedures
20 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
3 techniques
Resource Development
Attackers then distributed the signed malware through tactics such as search manipulation and malicious ads, where users are more likely to trust what they encounter.
Further analysis revealed that Fox Tempest expanded its offerings earlier this year by providing customers with pre-configured virtual machines hosted through Cloudzy infrastructure. Users could upload malware to these systems and receive digitally signed binaries generated through certificates controlled by the group.
Initial Access
4 techniques
Initial Access
Attackers have also compromised credentials to access virtual private networks (VPNs), particularly where organisations have failed to enable two-factor authentication by default.
Attackers have also compromised credentials to access virtual private networks (VPNs), particularly where organisations have failed to enable two-factor authentication by default.
Execution
1 technique
Execution
Persistence
2 techniques
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
3 techniques
Stealth
The signed files often impersonated trusted software brands such as Microsoft Teams, AnyDesk, PuTTY, and Webex, making them appear more credible to potential victims.
Defense Impairment
1 technique
Defense Impairment
Microsoft has announced the disruption of a large-scale malware-signing-as-a-service (MSaaS) operation that exploited its Azure Artifact Signing platform to generate fraudulent code-signing certificates... The group allegedly abused Microsoft's Artifact Signing service to create short-lived digital certificates that allowed malware to appear legitimate to both users and operating systems.
Lateral Movement
1 technique
Lateral Movement
Collection
1 technique
Collection
Exfiltration
4 techniques
Exfiltration
Rhysida said it stole the personal records of 100,000 people. To prove its claim, the ransomware group posted sample images of what it says are documents stolen from Spindletop.
The library confirmed that personal data stolen in a cyber-attack last month has appeared for sale online.
Impact
2 techniques
Impact
The Black Basta group discovered that they had not encrypted the Ascension Healthcare data correctly due to a crypt error and decided to share the decryption key to avoid potential political sanctions and retaliation from US law enforcement against their infrastructure.
IOCs tracked for this family
30 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
86 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named ransomware family referenced as one of the third-party payloads used by Vice Society.
Ransomware deployed via Fox Tempest's malware-signing-as-a-service operation; signed binaries helped it masquerade as legitimate software and evade security controls.
Ransomware payload whose malicious files were signed via the Fox Tempest service to appear legitimate and evade security controls.
A ransomware family explicitly linked to Fox Tempest-signed malware and real-world intrusions.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.