Rhysida

Threat Actor Profile Updated 11 days ago
Download STIX
Preview STIX
Rhysida, a ransomware-as-a-service (RaaS) group, emerged as a significant threat actor in May 2023. Initially targeting Windows, it later expanded its operations to Linux systems. The group is known for its distinct attack methodology that involves defense evasion, exfiltration of data for ransom, and destruction of servers to inhibit system recovery. Both versions of Rhysida's ransomware use AES and RSA algorithms for file encryption, with the ChaCha stream cipher used in the key generation process. The group has been involved in several high-profile attacks, including one on the British Library, where they demanded a ransom of approximately 20 bitcoins. In January, Rhysida launched a disruptive attack on the Ann & Robert H. Lurie Children's Hospital of Chicago, demanding a $3.4 million ransom for stolen data. The hospital refused to pay the ransom, leading Rhysida to offer the compromised data for sale. As a result of the attack, nearly 800,000 patients, employees, and other individuals had their data compromised. This incident led to the Health Sector Cybersecurity Coordination Center issuing an alert to the healthcare sector about the threat posed by Rhysida. Despite the various security measures in place, Rhysida continues to infiltrate systems via different methods, such as transferring ransomware over HTTP/S and emailing ransomware as compressed attachments. As of a recent count by dark web monitoring website DarkFeed, there have been 101 victims of Rhysida's attacks. Given these developments, it is crucial for organizations to ensure robust cybersecurity measures are in place to mitigate the risk posed by threat actors like Rhysida.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Vice Society
7
Vice Society, a threat actor group known for its malicious activities, has been linked to a series of ransomware attacks targeting various sectors, most notably education and healthcare. Throughout 2022 and the first half of 2023, Vice Society, along with Royal Ransomware, were actively executing mu
Scatter Swine
1
Scatter Swine, also known by multiple names such as 0ktapus, Scattered Spider, UNC3944, and Muddled Libra, is a threat actor group that has been active since early 2022. The group first came to light in August 2022 when they executed smishing attacks against over 100 organizations, including Twilio
Muddled Libra
1
Muddled Libra is a notable threat actor known for its sophisticated use of cloud services, particularly Amazon Web Services (AWS) and Microsoft Azure, to execute cyberattacks. The group leverages legitimate cloud service provider (CSP) features to efficiently exfiltrate data. In AWS, Muddled Libra t
Rhysida-0.1
1
None
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Ransom
RaaS
Malware
Lateral Move...
Extortion
Windows
Vulnerability
Encryption
Payload
Bitcoin
Data Leak
Phishing
Health
Exploit
Ransomware P...
Healthcare
Cybercrime
Medical
Github
Kaspersky
Fortiguard
Cobalt Strike
Encrypt
Spyware
Locker
Linux
Zero Day
Telegram
Apt
Vpn
t1021.004
t1003.003
t1070.001
CISA
British
Hse
Hospitals
Exploits
Kubernetes
Remote Code ...
Hospital
Firefox
Acrobat
T1657
Inhibit Syst...
netscaler
T1078
t1021.001
t1059.001
Esentire
Scam
T1587
t1070.004
t1564.003
Fortinet
Tool
Fbi
University
Ddos
Chrome
Government
Fraud
Sony
Skype
Antivirus
Backdoor
Moveit
Blackberry
Cisco
Infiltration
Lateral_move...
Botnet
RCE (Remote ...
Denial of Se...
Android
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Rhysida RansomwareUnspecified
11
Rhysida Ransomware is a type of malware that has been causing significant disruptions globally. The malicious software, designed to exploit and damage computer systems, infiltrates through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can ste
LockbitUnspecified
4
LockBit is a type of malware, specifically ransomware, that infiltrates systems to steal data or disrupt operations, often demanding ransom in return for the release of the compromised data. Notable incidents include the LockBit ransomware gang claiming to have stolen and subsequently leaking data f
3amUnspecified
2
3AM is a new and sophisticated ransomware family that has emerged in the cyber threat landscape. This malware, designed to exploit and damage computer systems, infiltrates through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information
ClopUnspecified
2
Clop is a notorious malware, short for malicious software, that is designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Clop can steal personal information, disrupt operations, or h
SystembcUnspecified
2
SystemBC is a malicious software (malware) that has been used in various cyber attacks to exploit and damage computer systems. This malware was observed in 2023, being heavily used with BlackBasta and Quicksand. It has been deployed by teams using BlackBasta during their attacks. Play ransomware act
BlacksuitUnspecified
1
BlackSuit is a malicious software (malware) that was introduced in May 2023, believed to be a rebranding of the Royal ransomware operation, which itself was a branch of the now-defunct Conti ransomware operation. Various sources have reported similarities in code between Royal and BlackSuit, further
PegasusUnspecified
1
Pegasus is a type of malware, or malicious software, designed by the NSO Group to exploit and damage devices without the user's knowledge. It has been used in several high-profile incidents, often delivered through zero-day vulnerabilities that were later fixed by Apple. Once installed on a device,
QakBotUnspecified
1
Qakbot, also known as QBot, is a versatile piece of malware capable of executing several malicious activities such as brute-forcing, web injects, and loading other types of malware. It's often used to steal credentials and gather information, with the cybercriminal group Black Basta being one notabl
AkiraUnspecified
1
Akira is a notorious ransomware that has been wreaking havoc across various sectors. The malware, first reported by Sophos in December 2023, has demonstrated its ability to infiltrate systems and extract sensitive data. Its primary method of attack involves targeting systems without multi-factor aut
PhobosUnspecified
1
Phobos is a type of malware, specifically ransomware, that can infiltrate a computer system or device through suspicious downloads, emails, or websites. Once installed, it can cause significant harm by stealing personal information, disrupting operations, or even holding data hostage for ransom. Its
BackmydataUnspecified
1
Backmydata is a variant of the Phobos ransomware family, a malicious software (malware) designed to exploit and damage computer systems. It has been used in sophisticated cyber-attacks on healthcare entities, notably hospitals. The landscape of such attacks is evolving, with groups like RansomHouse,
Royal RansomwareUnspecified
1
Royal Ransomware is a type of malware that has been causing significant disruptions in various sectors, particularly in the United States. Originating from the now-defunct Conti ransomware operation, Royal Ransomware was notorious for its multi-threaded encryption and ability to kill processes withi
Dev-0832Unspecified
1
Dev-0832 is a malicious software (malware) that has been observed in multiple compromises, notably impacting the US education sector. The malware infiltrates systems via suspicious downloads, emails, or websites, and once installed, it can steal personal information, disrupt operations, or hold data
Tac5279Unspecified
1
TAC5279 is a potent malware, designed to exploit and damage computer systems. This malicious software is known to infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, TAC5279 can steal personal information, disrupt operations, or
Vanilla TempestUnspecified
1
None
WerewolvesUnspecified
1
The Werewolves ransomware group has recently emerged as a significant threat in the cybercrime landscape. The group, known for its unusual targeting of Russian entities, employs a variant of the LockBit3 ransomware in its attacks. Since its inception, Werewolves has targeted 26 victims across variou
CactusUnspecified
1
Cactus is a type of malware, specifically ransomware, that has been implicated in several high-profile cyber-attacks. This malicious software infiltrates systems through deceptive methods such as suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, Cactus c
SnatchUnspecified
1
Snatch is a type of malware, specifically ransomware, known for its malicious activities. Ransomware is a harmful program designed to exploit and damage computer systems or devices. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once it gains
KarakurtUnspecified
1
Karakurt is a notorious malware and data extortion group, previously affiliated with ITG23, known for its sophisticated tactics, techniques, and procedures (TTPs). The group's operations involve stealing sensitive data from compromised systems and demanding ransoms ranging from $25,000 to a staggeri
TrickBotUnspecified
1
TrickBot is a form of malware, or malicious software, that infiltrates systems to exploit and damage them. It can enter your system via dubious downloads, emails, or websites, often without the user's knowledge. Once inside, TrickBot can steal personal information, disrupt operations, or even hold d
HijackloaderUnspecified
1
HijackLoader is a new form of malware that has been rapidly gaining popularity within the cybercrime community. Malware, short for malicious software, is designed to exploit and damage computer systems or devices, often infiltrating them through suspicious downloads, emails, or websites without the
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
AlphvUnspecified
2
AlphV, a notorious threat actor in the cybersecurity industry, has been responsible for numerous high-profile ransomware attacks. The group's activities include the theft of 5TB of data from Morrison Community Hospital and hacking Clarion, a global manufacturer of audio and video equipment for cars.
MedusaUnspecified
2
Medusa, a threat actor group, has been identified as a rising menace in the cybersecurity landscape, with its ransomware activities escalating significantly. In November 2023, Medusa and other groups like LockBit and ALPHV (BlackCat) exploited a zero-day vulnerability known as Citrix Bleed (CVE-2023
LapsusUnspecified
1
Lapsus is a significant threat actor that has been active since its inception in early 2022. The group gained notoriety for its cyberattacks, including a high-profile breach of Nvidia, an American multinational technology company, in the same year. This attack led to the leak of thousands of passwor
Hunters InternationalUnspecified
1
Hunters International, a threat actor group in the cybersecurity realm, has recently gained notoriety for its malicious activities. The group is believed to have taken over Hive Ransomware, a notorious malware used for cyberattacks, after Hive's takedown in 2023. Despite disputes from Hunters Intern
RedflyUnspecified
1
RedFly, a threat actor group known for its malicious activities, has emerged as a significant cybersecurity concern. The group's operations are characterized by their strategic execution and targeted focus, often resulting in substantial security breaches. Threat actors like RedFly pose a significan
Scattered SpiderUnspecified
1
Scattered Spider is a prominent threat actor group known for its malicious cyber activities. Their modus operandi includes searching SharePoint repositories for information, seeking to maintain persistence on targeted networks, and exfiltrating data for extortion purposes. The group primarily uses p
UNC3944Unspecified
1
UNC3944, also known as Scattered Spider and 0ktapus, is a financially motivated threat actor group that has been active since 2021. The group is known for its sophisticated cyberattacks, leveraging the Identity Provider (IDP) as initial access into an environment with the goal of stealing Intellectu
BianlianUnspecified
1
BianLian is a significant threat actor in the cybersecurity landscape, known for executing actions with malicious intent. Recently, they have been exploiting vulnerabilities in JetBrains TeamCity, leading to a series of ransomware attacks. These bugs in JetBrains TeamCity software have provided an e
MogilevichUnspecified
1
Mogilevich, a self-proclaimed "group dedicated to data extortion," emerged on February 20th and made claims of high-profile cyber attacks. Their alleged victims included Infiniti, Epic Games, DJI, and Shein. The group gained notoriety for their audacious claims of successful ransomware attacks, incl
Magicline4nxUnspecified
1
Magicline4nx is a threat actor that has recently emerged as a significant cybersecurity concern. This entity, which could be an individual, a private company, or a part of a government organization, is responsible for executing actions with malicious intent. In the realm of cybersecurity, where nami
Peach SandstormUnspecified
1
Peach Sandstorm, also known as Curious Serpens, APT33, Elfin, HOLMIUM, MAGNALIUM, and REFINED KITTEN, is a threat actor group believed to be linked to the Iranian nation-state. The group has been active since at least 2013 and has previously targeted sectors such as aerospace and energy for espionag
Anonymous SudanUnspecified
1
Anonymous Sudan, a threat actor group, has been responsible for several high-profile Distributed Denial of Service (DDoS) attacks. The group's activities have been notable for their political motivations and disruptive impact on targeted organizations. A DDoS attack overwhelms a network or service w
Charming KittenUnspecified
1
Charming Kitten, an Iranian Advanced Persistent Threat (APT) group also known as ITG18, Phosphorous, and TA453, is a notable threat actor in the cybersecurity landscape. The group has exhibited significant sophistication in its operations, leveraging advanced social engineering techniques to comprom
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
AssaultUnspecified
2
The term "assault" in this context refers to a variety of aggressive actions, ranging from cyber attacks to physical violence. One significant event occurred on October 7, 2023, when Hamas launched a coordinated cross-border assault on Israel, marking the official start of the Israel-Hamas War. This
ZerologonUnspecified
2
Zerologon is a critical vulnerability (CVE-2020-1472) found within Microsoft's Netlogon Remote Protocol, impacting all versions of Windows Server OS from 2008 onwards. This flaw in software design or implementation allows attackers to bypass authentication mechanisms and change computer passwords wi
CVE-2020-1472Exploited
2
CVE-2020-1472, also known as the ZeroLogon vulnerability, is a critical-severity privilege escalation flaw in Microsoft's Netlogon Remote Protocol. It was patched by Microsoft on August 11, 2020. This vulnerability allows attackers to gain administrative access to a Windows domain controller without
RepojackingUnspecified
1
Repojacking is a newly identified vulnerability that affects software repositories, specifically those hosted on GitHub. This flaw in software design or implementation allows unauthorized users to gain control of the repository, potentially leading to unauthorized changes, data theft, or other malic
Source Document References
Information about the Rhysida Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
BankInfoSecurity
6 days ago
What's the Best Strategy for Exploiting Flaws in Ransomware?
BankInfoSecurity
11 days ago
Children's Hospital Notifies 800,000 of Data Theft in Attack
DARKReading
19 days ago
Key Takeaways From the British Library Cyberattack
Securelist
2 months ago
Kaspersky Anti-Ransomware Day report 2024
Malwarebytes
3 months ago
2024 State of Malware in Education report: Top 6 cyberthreats facing K-12 and Higher Ed | Malwarebytes
Malwarebytes
4 months ago
3 important lessons from a devastating ransomware attack | Malwarebytes
BankInfoSecurity
4 months ago
Ransomware Groups: Trust Us. Uh, Don't.
CERT-EU
4 months ago
GRIT Ransomware Report: February 2024 | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
4 months ago
The British Library looks to the future as it reveals the incalculable damage of its ransomware attack | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
4 months ago
WEF effort to disrupt cybercrime moves into operations phase
CERT-EU
4 months ago
Ransomware attackers claim they sold Lurie Children's Hospital data for $3.4 million on dark web | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
4 months ago
Lurie Children’s Hospital investigating if stolen data was sold online – NBC Chicago | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
4 months ago
Alert: FBI Warns Of BlackCat Ransomware Healthcare Attack
CERT-EU
4 months ago
Third-Party Breach and Missing MFA Led to British Library Attack
CERT-EU
4 months ago
British Library’s legacy IT blamed for lengthy rebuild
CERT-EU
4 months ago
All stolen Lurie Children’s data claimed to be sold by Rhysida | #ransomware | #cybercrime | National Cyber Security Consulting
BankInfoSecurity
4 months ago
EHRs Back at Kids' Hospital But Patient Portal Still Offline
CERT-EU
4 months ago
Chicago's Lurie Children's Hospital Battles Back from Ransomware Siege | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
4 months ago
Une vulnérabilité identifiée dans le rançongiciel Rhysida | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
4 months ago
Ransomware group admits its Epic Games ‘hack’ was a hoax | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting